MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware
Essential information
- Published
- 23/12/2025 01:59
- Modified
- 23/12/2025 09:40
- Tags
- 2025-12-23 code-signed dropper evasion infostealer macos macsync stealer notarized odyssey infostealer swift
- Related entities
- 11 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 malware, 3 others
Description
MacSync Stealer malware has evolved from using drag-to-terminal and ClickFix techniques to a more sophisticated approach. The new variant is delivered as a code-signed and notarized Swift application within a disk image, eliminating the need for direct terminal interaction. The malware retrieves an encoded script from a remote server and executes it via a Swift-built helper executable. The installer is signed with Developer Team ID GNJLS3UYZ4 and contains decoy files to inflate its size. The malware performs various checks, including internet connectivity and execution timing, before downloading and executing the second-stage payload. This evolution reflects a broader trend in macOS malware, where attackers attempt to bypass security measures by using signed and notarized executables.