## New MacSync Stealer Variant Bypasses macOS gatekeeper with Digitally Signed App
Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that’s delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks.
“Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach,” Jamf researcher Thijs Xhaflaire said.
The Apple device management firm and security company said the latest version is distributed as a code-signed and notarized Swift application within a disk image (DMG) file named “zk-call-messenger-installer-3.9.2-lts.dmg” that’s hosted on “zkcall[.]net/download.”
The fact that it’s signed and notarized means it can be run without being blocked or flagged by built-in security controls like Gatekeeper or XProtect. Despite this, the installer has been found to display instructions prompting users to right-click and open the app – a common tactic used to sidestep such safeguards. Apple has as revoked the code signing certificate.
The Swift-based dropper then p
macOS Malware Campaign Employs Evasion Techniques, Delivers MacSync Stealer
Date: December 24, 2025
A recent malware campaign targeting macOS users is utilizing several evasion techniques to deliver the MacSync information stealer, a rebranded variant of Mac.c. Security researchers have observed attackers inflating the size of malicious DMG files with unrelated PDF documents – reaching 25.5 MB – to potentially bypass security checks.This campaign highlights a continuing trend of increasingly elegant tactics employed by threat actors targeting Apple’s operating system.
MacSync: A Feature-Rich macOS Stealer
The payload delivered within the oversized DMG file is MacSync, identified by MacPaw’s Moonlock Lab as a derivative of Mac.c, which first appeared in April 2025. Unlike simpler data theft malware, MacSync incorporates a fully-featured, Go-based agent. This agent provides attackers with remote command and control (RCC) capabilities, extending its functionality beyond basic information exfiltration. According to a recent interview with the developer, MacSync aims to provide a extensive solution for malicious actors. Moonlock Lab’s analysis details the stealer’s advanced features and capabilities.
Evolving Distribution Methods & Code Signing
The campaign demonstrates a shifting landscape in macOS malware distribution. While attackers previously relied on code-signed DMG files mimicking legitimate applications like Google Meet to spread stealers such as Odyssey, they continue to utilize unsigned disk images. DigitStealer, for example, was recently distributed via unsigned dmgs as recently as November 2025.
This duality suggests attackers are adapting their strategies,potentially to circumvent increased scrutiny of code-signed applications. Jamf notes that this trend reflects a broader effort to disguise malware as legitimate software by leveraging code signing and notarization.
Implications and Ongoing Threats
The use of evasion techniques like file inflation, combined with the advanced capabilities of stealers like MacSync, underscores the growing sophistication of threats targeting macOS. Users should exercise caution when downloading and opening files from untrusted sources,and ensure their systems are running the latest security updates. The continued evolution of these tactics necessitates ongoing vigilance and proactive security measures to protect against macOS malware.