New MacSync malware variant bypasses macOS security, Jamf and SlowMist warn

While reviewing the detections of its in-house YARA rules, Jamf Threat Labs claims it observed a signed and notarized stealer that did not follow the typical execution chains seen in the past. 

According to 23pds from Slowmist, this stealer is a new variant of the MacSync variant famous for bypassing macOS security. 

Slowmist claims user info already stolen 

In an X post, Slowmist’s Chief Information Security Officer, 23pds claimed that there is a new variant of the MacSync that bypasses the macOS gatekeeper security system, and it has already hijacked the information of many users. 

According to 23pds, to evade detection, the variant employs techniques like file inflation, network connection verification and self-destruct scripts after execution. It can reportedly steal sensitive data like iCloud keychains, browser passwords, and crypto wallets. 

The warning came attached to a blog from Jamf Threat Labs, reporting that this is not its first contact with MacSync. 

The macOS-targeted information stealer malware reportedly first emerged in April 2025 as “Mac.C”, developed by a threat actor known as “Mentalpositive”. It was rebranded to MacSync shortly after, which it quickly gained traction among cybercriminals.

To protect yourself from it, only download apps from the Mac App Store or trusted developer websites, keep your macOS and apps updated, use reputable antivirus/endpoint security tools that detect macOS threats, and be cautious with unexpected .dmg files or installers, especially those promising crypto-related or messaging tools.

Is there a new MacSync malware? 

The sample in question reportedly looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design. It differed from earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, as it employs a more deceptive, hands-off approach. 

The sample is reportedly delivered as a code-signed and notarized Swift application within a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, distributed via https://zkcall.net/download. 

That removes the need for any direct terminal interaction. Instead, the dropper retrieves an encoded script from a remote server and executes it via a Swift-built helper executable

Jamf Threat Labs also observed the Odyssey infostealer adopting similar distribution methods in recent variants. They expressed surprise that the familiar right-click open instruction is still present in the new sample, even though the executable is signed and does not require this step.

“After inspecting the Mach-O binary, which is a universal build, we confirmed that it is both code-signed and notarized. The signature is associated with the Developer Team ID GNJLS3UYZ4,” they claimed. 

They made sure to verify the code directory hashes against Apple’s revocation list, and at the time of analysis, said none had been revoked.

Another notable observation made is the unusually large size of the disk image (25.5MB), which they said appears to be inflated by decoy files embedded within the app bundle. 

At the time of analysis, some of the samples uploaded to VirusTotal were detected by only one antivirus engine, while others were flagged by up to thirteen. After confirming that the Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported it to Apple. Since then, the associated certificate has been revoked.

The smartest crypto minds already read our newsletter. Want in? Join them.