{
  "name": "Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization",
  "slug": "inside-macsyncs-script-driven-stealer-and-hardware-wallet-app-trojanization",
  "description": "MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based approach to harvest browser credentials, cryptocurrency wallet data, and sensitive files. A key feature of MacSync is its ability to trojanize popular Electron-based cryptocurrency applications like Ledger and Trezor, enabling long-term phishing and data exfiltration. The malware's infrastructure includes multiple rotating C2 domains and clone sites, indicating an ongoing and evolving campaign. MacSync's focus on cryptocurrency-related data and its stealthy, script-based execution make it particularly dangerous for macOS users in the crypto community.",
  "published": "2026-01-21T17:46:01+00:00",
  "created_at": "2026-01-21T17:46:01+00:00",
  "modified_at": "2026-01-22T13:49:53+00:00",
  "created_at_opencti": "2026-01-21T17:46:01+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-21",
    "cryptocurrency",
    "electron",
    "hardware-wallet",
    "infostealer",
    "macos",
    "macsync",
    "phishing",
    "trojanization"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "60ad8bbb2ebfb60d61dbddc365a02b6adf7dbe57"
      },
      {
        "id": "",
        "name": "70c0ee60591fed92b387ddd77122f3f5e88ae946efdd5eef8aa654cf156ed321"
      },
      {
        "id": "",
        "name": "ec6bc84be18ce4cb55fb915370c00f2a836ffefc65c6b728efb8d2d28036e376"
      },
      {
        "id": "",
        "name": "c99dea85f0ef8d3e2f3771c8ebd02d7dee0d90efc5c8392e5c266a59640a4206"
      },
      {
        "id": "",
        "name": "89a229f9a73cffc67089f388c6c12f3f9d80e7ae2c32745cd5212421a89c3e50"
      },
      {
        "id": "",
        "name": "dd60de68d94b4d4602d1e163aa884dd2f0c0119d"
      }
    ],
    "attack_patterns": [
      {
        "id": "8c79f5d6-60f2-4b5c-9b44-3e00ce9294d0",
        "name": "T1074.001"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "d03ba136-5188-4224-876c-26255d8c8a5b",
        "name": "T1217"
      },
      {
        "id": "46ecf5ab-5539-4a8a-aa5b-c180d0ae5a67",
        "name": "T1059.002"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18",
        "name": "T1036.004"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "64e548d5-24de-4894-9c90-c6e17b3b3bee",
        "name": "T1056.002"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "jmpbowl.coupons"
      },
      {
        "id": "",
        "name": "manifest.in"
      },
      {
        "id": "",
        "name": "webview-prod.dreamplug.in"
      },
      {
        "id": "",
        "name": "xmlpull.org"
      },
      {
        "id": "",
        "name": "jmpbowl.shop"
      },
      {
        "id": "",
        "name": "macfilevault.com"
      },
      {
        "id": "",
        "name": "foo-bar.fish"
      },
      {
        "id": "",
        "name": "merchant-app-prod.dreamplug.in"
      },
      {
        "id": "",
        "name": "macfilebackup.com"
      },
      {
        "id": "",
        "name": "jmpbowl.today"
      },
      {
        "id": "",
        "name": "jmpbowl.top"
      },
      {
        "id": "",
        "name": "jmpbowl.world"
      },
      {
        "id": "",
        "name": "crosoftonline.com"
      },
      {
        "id": "",
        "name": "jmpbowl.xyz"
      },
      {
        "id": "",
        "name": "jmpbowl.space"
      },
      {
        "id": "",
        "name": "macfiledrive.com"
      },
      {
        "id": "",
        "name": "maccloudsafe.com"
      },
      {
        "id": "",
        "name": "jmpbowl.fun"
      },
      {
        "id": "",
        "name": "app-webview.dreamplug.in"
      },
      {
        "id": "",
        "name": "macclouddrive.com"
      },
      {
        "id": "",
        "name": "maccloudvault.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69711eea5249f136051acf6c",
    "https://www.cloudsek.com/blog/inside-macsyncs-script-driven-stealer-and-hardware-wallet-app-trojanization"
  ]
}