A macOS information stealer known as MacSync Stealer has significantly upgraded its infection method, removing the need for users to manually execute malicious commands. According to Jamf, the malware now leverages a signed and notarized application to deliver its payload, marking a notable shift toward stealthier, more scalable macOS attacks.

This evolution reflects a broader trend in macOS malware, where attackers increasingly abuse Apple’s trust mechanisms to bypass built-in security controls and reduce user friction during compromise.

MacSync Stealer first emerged roughly six months ago as a rebrand of Mac.c, a low-cost macOS infostealer initially observed in April 2025. While Mac.c was positioned as a budget alternative to established macOS stealers, its acquisition by a more capable developer quickly transformed it into a more serious threat.

The rebranded MacSync Stealer retained its information-stealing roots while adding persistent backdoor functionality through a Go-based agent, expanding its utility beyond simple data theft.

Early versions of MacSync Stealer relied heavily on social engineering techniques such as ClickFix, which required victims to copy and execute malicious commands in the Terminal.

Jamf reports that newly observed samples have eliminated this step entirely.

Instead, attackers now distribute the malware as a code-signed and notarized Swift application packaged inside a disk image masquerading as a legitimate “zk-Call” messaging app installer. This approach allows the infection to proceed without explicit command execution by the user.

Once launched, the fake installer executes a multi-layered dropper routine designed for stealth and resilience.

The Swift application retrieves an encoded script from a remote server and executes it using a Swift-built helper binary. This process incorporates:

Jamf notes that this same distribution technique has also been adopted by the Odyssey macOS infostealer family, suggesting shared tactics or tooling across threat actors.

MacSync Stealer infections began appearing in detection telemetry in mid-2025 and spread quickly, compromising hundreds of macOS systems in a relatively short period.

By eliminating user-driven execution steps, the malware reduces opportunities for user suspicion and security awareness controls to intervene, increasing the likelihood of successful compromise in real-world environments.

This development highlights a growing abuse of Apple’s notarization and code-signing ecosystem. While these mechanisms are designed to protect users, attackers are increasingly finding ways to weaponize them to make malware appear trustworthy.

As macOS adoption continues to rise in enterprise environments, this shift raises the baseline risk for organizations that rely on default platform trust signals.

“This shift in distribution reflects a broader trend across the macOS malware landscape,” Jamf noted, “where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications.”