New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper

New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper

A new variant of the MacSync macOS information stealer is being distributed through a digitally signed and notarized Swift application disguised as a messaging app installer. This allows it to bypass Apple’s Gatekeeper security checks, with Apple subsequently revoking the malicious certificate.

Why This Matters

Current macOS security models rely heavily on code signing and notarization to establish trust, but attackers are increasingly leveraging these mechanisms to distribute malware. Bypassing Gatekeeper with a signed application significantly increases the likelihood of successful compromise, as users are less likely to be warned about a potentially malicious program, potentially leading to widespread data breaches and financial losses.

Key Insights

• MacSync evolution: MacSync is a rebranded version of Mac.c, first observed in April 2025.
• Evasion tactics: Attackers are using techniques like embedding unrelated files in DMGs to increase size and obscure malicious intent.
• Signed malware: The increasing trend of using code-signed malware highlights the limitations of relying solely on signature-based security measures.

Working Example

(Silently omit entire section as no code exists in context)

Practical Applications

• Use Case: Attackers targeting macOS users with sophisticated, evasive malware campaigns to steal sensitive information.
• Pitfall: Over-reliance on code signing and notarization as a sole indicator of trust, neglecting behavioral analysis and other security layers.

References:

• https://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html