New macOS Infostealer Slips Past Apple’s Defenses with Code Signing and Notarization

Jamf Threat Labs has uncovered a sophisticated new macOS infostealer variant that managed to bypass Apple’s security defenses by leveraging valid code signing and notarization. The malware, linked to the broader Odyssey Stealer family, masquerades as a legitimate Google Meet updater and contains a two-stage payload with both stealing and persistent backdoor functionalities.

“According to VirusTotal metadata, the sample appeared to be code-signed by a valid Apple Developer ID,” Jamf noted. “We confirmed that it was indeed both code-signed and notarized — a detail that raised immediate concern given its malicious nature.”

The malware, distributed as Gmeet_updater.app, was delivered in a .dmg disk image — a classic macOS distribution technique. Despite having been notarized by Apple, the attacker still used the right-click Open trick, a social engineering tactic typically employed to bypass Gatekeeper on unsigned apps.

“The application itself is named ‘Gmeet_updater.app,’ though there’s little effort to align that branding with the user experience, suggesting a rushed or careless repackaging process,” the report explains.

What sets this stealer apart is its blend of social engineering and native macOS design. It launches a SwiftUI-based “Technician Panel” to appear legitimate while silently reaching out to a remote C2 server to fetch additional malicious AppleScript payloads.

Once triggered, the infostealer executes a wide array of malicious activities, including:

• Credential theft from Safari, Chrome, Firefox, Brave, Opera, and Waterfox.
• Extraction of sensitive files (.txt, .pdf, .wallet, .key) from Desktop and Documents.
• Cryptocurrency wallet targeting, including Electrum, Exodus, Atomic, and Ledger Live.
• Keychain access attempts and Apple Notes exfiltration.
• System fingerprinting using system_profiler.

The stolen data is zipped and uploaded to a hardcoded endpoint: hxxp[:]//45.146.130.131/log.

Even more disturbingly, the malware looks for the official Ledger Live app and replaces it with a tampered version hosted by the attacker.

“If found, it replaces [Ledger Live] with a modified and unsigned version created by the attacker and downloaded from hxxp[:]//45.146.130.131/otherassets/ledger.zip.”

Beyond theft, the malware ensures persistent control through a LaunchDaemon stored in /Library/LaunchDaemons/, configured to survive reboots. It also drops hidden configuration files in the user’s home directory, including bot IDs and C2 addresses.

The second-stage payload — a persistent AppleScript — polls the attacker’s server for commands. Supported capabilities include:

• Executing arbitrary shell scripts (repeat and doshell commands).
• Downloading and running a SOCKS5 proxy binary for network tunneling.
• Self-termination if the C2 sends an uninstall command or stops responding.

“This script showcases a surprisingly robust C2 communication framework, granting the attacker ongoing, flexible control over the infected host.”

The malware also includes basic anti-analysis logic. Repeated executions in a research environment lead the malware to detect sandboxing and disable its full behavior chain.

“If it determines the system is likely being used for research… it silently blacklists the machine. Once blacklisted, the payload avoids running its full set of behaviors.”

Instead, it installs a fake daemon with a placeholder argument that simply reads: “Black Listed”.

After discovering that the Developer Team ID (A2FTSWF4A2) was used to sign and notarize at least three separate malware samples, Jamf Threat Labs reported the abuse to Apple, who revoked the certificate.

Related Posts:

• North Korean APT Group Targets macOS with Flutter-based Malware in Cryptocurrency Apps
• Jamf Threat Labs Uncovers a Stealthy Malware Strain from BlueNoroff APT
• APT organization steals D-Link company digital certificate to sign its malware
• Hackers are selling legal Code Signing Certificates
• The Hidden Threat in Pirated macOS Applications: Unveiling a New Malware Campaign