Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization
Essential information
- Published
- 21/01/2026 18:46
- Modified
- 22/01/2026 14:49
- Tags
- 2026-01-21 cryptocurrency electron hardware-wallet infostealer macos macsync phishing trojanization
- Related entities
- 6 observables, 16 techniques (mitre), 23 others
Description
MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based approach to harvest browser credentials, cryptocurrency wallet data, and sensitive files. A key feature of MacSync is its ability to trojanize popular Electron-based cryptocurrency applications like Ledger and Trezor, enabling long-term phishing and data exfiltration. The malware's infrastructure includes multiple rotating C2 domains and clone sites, indicating an ongoing and evolving campaign. MacSync's focus on cryptocurrency-related data and its stealthy, script-based execution make it particularly dangerous for macOS users in the crypto community.