top of page
perceptive_background_267k.jpg

New MacSync malware dropper evades macOS Gatekeeper checks

Published:

22 December 2025 at 20:43:38

Alert date:

22 December 2025 at 21:02:16

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware

A new variant of the MacSync information stealer is targeting macOS systems through a digitally signed and notarized Swift application. The malware successfully evades macOS Gatekeeper security checks by using legitimate code signing certificates. This represents an evolution in macOS-targeted malware that exploits Apple's security validation mechanisms. The attack demonstrates sophisticated techniques to bypass native macOS security protections. The use of legitimate digital signatures makes detection more challenging for standard security tools.

Technical details

MacSync information stealer is delivered through a digitally signed, notarized Swift application within a disk image named zk-call-messenger-installer-3.9.2-lts.dmg. The malware uses a universal Mach-O binary that is both code-signed and notarized with Developer Team ID GNJLS3UYZ4. It bypasses macOS Gatekeeper checks and includes evasion mechanisms such as inflating the DMG file to 25.5MB with decoy PDFs, wiping execution scripts, and performing internet connectivity checks to avoid sandboxed environments. The malware can steal iCloud keychain credentials, browser passwords, system metadata, cryptocurrency wallet data, and filesystem files.

Mitigation steps:

Apple has revoked the certificate associated with Developer Team ID GNJLS3UYZ4 following direct report. Users should avoid downloading applications from untrusted sources and verify digital signatures before installation.

Affected products:

macOS
macOS Gatekeeper
macOS 10.14.5 and later

Related links:

http://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
https://www.jamf.com/blog/macpaw-macos-malware-evolution-amos-stealer-cybercrime-ecosystem/
https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-adds-backdoor-for-persistent-attacks/
https://www.bleepingcomputer.com/news/security/google-ads-for-fake-homebrew-logmein-sites-push-infostealers/
https://moonlock.com/new-mac-stealer-spreading
https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-macsync-ex-mentalpositive-62504db3e761
https://zkcall.net/download

Related CVE's:

Related threat actors:

IOC's:

zk-call-messenger-installer-3.9.2-lts.dmg, https://zkcall.net/download, Developer Team ID GNJLS3UYZ4

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page