Stealer Campaign Impacting SLTT macOS Users
Essential information
- Published
- 09/04/2026 20:17
- Modified
- 09/04/2026 18:35
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- clickfix cryptocurrency wallet infostealer ledger trojanization maas macos macsync macsync stealer seo poisoning
- Tags
- 2026-04-09 clickfix cryptocurrency wallet infostealer ledger trojanization maas macos macsync macsync stealer seo poisoning
- Related entities
- 16 indicators, 16 observables, 1 malware, 5 others
Description
MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service (MaaS), distributed through SEO poisoning and fake ClickFix CAPTCHAs. The campaign has evolved through three iterations since November 2025, shifting from fake download sites to malicious ChatGPT conversations and finally to sophisticated shell-based loaders with dynamic AppleScript payloads. Threat actors use Google-sponsored search results to redirect victims to fake CAPTCHA pages that trick users into executing malicious terminal commands. The stealer targets browser credentials, cryptocurrency wallets, SSH keys, cloud provider credentials, and Keychain data. A critical capability includes trojanizing Ledger hardware wallet applications to capture seed phrases. The February 2026 campaign generated over 18,000 clicks in three days, with Russian-language comments suggesting operators work within a Russian-speaking ecosystem. The malware employs API key-gated C2 infrastructure and in-memory execution for evasion.