Find notable cyber news and cases, enriched with sources, timelines, and signals.

MacSync macOS infostealer with dynamic AppleScript and in-memory execution

Malware Activity
First reported
Last updated
Happening score
H score 32
2 unique sources, 2 articles

Summary

Hide ▲

The MacSync macOS infostealer now uses dynamic AppleScript payloads and in-memory execution to reduce static detection and complicate response. It is being delivered through ClickFix lures that trick users into running terminal commands, increasing the risk of theft on macOS systems. The malware can steal credentials, files, keychain databases, and crypto-wallet seed phrases, making the latest variant especially risky for high-value users.

Related Happenings

MacOS.Gaslight AI-analysis evasion malware

Malware Activity
H score22 First: 25.06.2026 19:23 Last: 25.06.2026 19:23 Sources 1

About this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Rust-based clipboard hijacker that swaps wallet addresses

Malware Activity
H score10 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...

Timeline

  1. 10.05.2026 20:52 1 articles · 2mo ago

    MacSync campaign abuses Google Ads and Claude.ai chats

    Campaign Scope Update

    A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.

    Show sources
  2. 16.03.2026 13:41 2 articles · 3mo ago

    MacSync macOS infostealer with dynamic AppleScript and in-memory execution

    Initial Disclosure

    MacSync was first pushed through **ClickFix** lures that used fake install flows and Terminal commands to make victims run the payload. The latest phase adds **dynamic AppleScript** and **in-memory execution**, strengthening evasion while preserving theft of sensitive macOS data.

    Show sources