The MacSync Stealer macOS malware can now infect victims’ computers using what appears to be a legitimate application with minimal user interaction, according to Apple device management and security vendor Jamf.
Until now, macOS campaigns needed to persuade users to launch infected applications through relatively intrusive techniques such as ClickFix social engineering or the expert user macOS ‘drag-to-terminal’ routine.
MacSync Stealer, by contrast, is downloaded from an ordinary-looking utility URL as a code-signed and notarized Swift application. Once the user initiates installation, the dropper retrieves its malware payload script from a command-and-control server.
One oddity is that the download still invites victims to launch it by right-clicking and opening, even though the signed executable does not technically need this for infection.
The innovation lies with its deceptive provenance: because the malware is signed by what macOS deems to be a legitimate developer and has not shown up as malicious, no warnings or extra steps are needed. This draws attention to a weakness in Apple’s Gatekeeper security – criminals can constantly reformulate their malware to evade Apple’s automated detection and notarization system.
This gives attackers a window for exploitation. According to Jamf, the malware’s certificate credential was only revoked after the company reported the issue to Apple.
Sign of expansion
MacSync Stealer is the latest example of an expanding number of economically motivated macOS malware. The purpose is to steal data from high-value users, including account credentials, API keys, and crypto wallet data.
The malware’s origins lie with an earlier Mac infostealer, Mac.c Stealer, whose appeal was that it could be bought cheaply by budding cybercriminals. However, within weeks of its appearance in April, this was rebranded as MacSync and more advanced features were added.
Another macOS stealer, the Odyssey infostealer, had also been observed using the same distribution technique.
“While MacSync Stealer itself is not entirely new, this case highlights how its authors continue to evolve their delivery methods,” Jamf said.
“This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications.”
While the Mac malware “market” might appear small in volume compared to that for Windows, this largely reflects the fact that PCs remain the primary operating system used by businesses. Nevertheless, criminals have noticed that the extra development time required for Mac malware is increasingly worth it.
Examples targeting enterprises and high-value individuals from 2025 include the macOS Ferret family and BlueNoroff social media campaigns associated with North Korean hackers, both connected to crypto theft. Another is the Atomic malware-as-a-service (MaaS) infostealer associated with Russian cybercriminals.