According to ChainCatcher, 23pds, Chief Information Security Officer of SlowMist, shared an article stating that the MacSync Stealer malware, active on the macOS platform, has undergone significant evolution, and some users have already had their assets stolen.
The article it forwarded mentioned that the method has evolved from relying on low-barrier-to-entry tactics like "drag and drop to the terminal" and "ClickFix" to using a Swift application with code signing and Apple's notarization, significantly improving its stealth. Researchers found that the sample spreads as a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, luring users to download it by disguising itself as an instant messaging or utility application. Unlike previous versions, the new version requires no user terminal operation; instead, a built-in Swift helper program pulls and executes a coded script from a remote server to complete the information theft process.
The malware has been code-signed and certified by Apple. The developer team ID is GNJLS3UYZ4, and the relevant hashes have not yet been revoked by Apple at the time of analysis. This means it has higher "credibility" under the default macOS security mechanisms, making it easier to bypass user vigilance. The research also found that the DMG file is unusually large and contains decoy files such as LibreOffice-related PDFs to further reduce suspicion.
Security researchers point out that such information-stealing Trojans often target browser data, account credentials, and encrypted wallet information. As malware begins to systematically abuse Apple's signing and notarization mechanisms, the risks of phishing and private key leaks for crypto asset users on macOS are increasing.
