Key Findings

• A new variant of the MacSync Stealer malware has been discovered, which uses a digitally signed and notarized Swift application to bypass macOS Gatekeeper security checks.

• The malicious application is distributed via a disk image (DMG) named "zk-call-messenger-installer-3.9.2-lts.dmg" hosted on the "zkcall[.]net/download" website.

• The application is code-signed and successfully notarized by Apple, giving it a veneer of legitimacy and allowing it to run on macOS without triggering immediate security warnings.

• The malware performs various evasion techniques, including a "preflight" check for internet connectivity, a rate-limiting mechanism, and measures to avoid execution in offline or sandboxed environments.

• Once the conditions are met, the malware downloads and executes a payload that connects to known malicious domains associated with previous MacSync campaigns.

Background

The cat-and-mouse game between Apple's security protocols and malware authors has taken a stealthy turn. This new report from Jamf Threat Labs reveals that the increasingly active MacSync Stealer has received a significant design overhaul, shedding its reliance on user mistakes in favor of a slick, automated infection process hidden inside legitimate-looking applications.

Infection Vector

The malicious application is distributed via a disk image (DMG) named "zk-call-messenger-installer-3.9.2-lts.dmg" hosted on the "zkcall[.]net/download" website. Unlike earlier MacSync Stealer variants that primarily relied on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach.

Bypassing Gatekeeper

The most alarming aspect of this campaign is the attackers' ability to bypass macOS Gatekeeper. The malicious application was not only code-signed but also successfully notarized by Apple, a process intended to certify that software is free of known malware. By obtaining a valid digital signature, the malware gains a veneer of legitimacy that allows it to run on macOS without triggering immediate security warnings.

Evasion Techniques

The malware developers went to great lengths to avoid detection by security researchers and automated sandboxes. The application performs a "preflight" check to ensure it has a live internet connection before executing any malicious logic. Furthermore, it employs a rate-limiting mechanism, checking a timestamp file and refusing to run if it has been executed within the last hour (3600 seconds).

Payload Execution

Once the conditions are met, the malware downloads a payload to "/tmp/runner," validates that it is indeed a shell script, strips it of Apple's "quarantine" attribute, and executes it. The payload itself connects to known malicious domains like "focusgroovy[.]com," linking it to previous MacSync campaigns.

Conclusion

The incident serves as a reminder that a "verified" app is not always a safe one. By leveraging these techniques, adversaries reduce the chances of being detected early on, posing a significant challenge to macOS security. This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications.

Sources

• https://securityonline.info/the-notarized-nightmare-new-macsync-stealer-bypasses-gatekeeper-to-hijack-mac-devices/

• https://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html

• https://x.com/the_yellow_fall/status/2003655541416153385