The Notarized Nightmare: New MacSync Stealer Bypasses Gatekeeper to Hijack Mac Devices

The cat-and-mouse game between Apple’s security protocols and malware authors has taken a stealthy turn. A new report from Jamf Threat Labs reveals that the increasingly active MacSync Stealer has received a significant design overhaul, shedding its reliance on user mistakes in favor of a slick, automated infection process hidden inside legitimate-looking applications.

For months, MacSync Stealer variants relied on “ClickFix” tactics or “drag-to-terminal” instructions—methods that required the victim to manually paste commands or move files to get infected.

The new variant was found hiding inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, distributed via a look-alike website. “Delivered as a code-signed and notarized Swift application… it removes the need for any direct terminal interaction,” the report states.

Instead of asking the user to run a script, the malicious app does the heavy lifting itself. “The dropper retrieves an encoded script from a remote server and executes it via a Swift-built helper executable”.

Perhaps the most alarming aspect of this campaign is the attackers’ ability to bypass macOS Gatekeeper. The malicious application was not only code-signed but also successfully notarized by Apple, a process intended to certify that software is free of known malware.

“After inspecting the Mach-O binary, which is a universal build, we confirmed that it is both code signed and notarized,” the researchers noted. The signature was linked to the Developer Team ID GNJLS3UYZ4.

By obtaining this valid digital signature, the malware gains a veneer of legitimacy that allows it to run on macOS without triggering immediate security warnings. Jamf reported the ID to Apple, and the associated certificate has since been revoked.

The malware developers went to great lengths to avoid detection by security researchers and automated sandboxes. The application performs a “preflight” check to ensure it has a live internet connection before executing any malicious logic.

Furthermore, it employs a rate-limiting mechanism. The malware checks a timestamp file and will not run if it has been executed within the last hour (3600 seconds). “This conditional execution logic, tied directly to network availability, reflects an effort to avoid execution in offline or sandboxed environments”.

Once the conditions are met, the malware downloads a payload to /tmp/runner, validates that it is indeed a shell script, strips it of Apple’s “quarantine” attribute, and executes it.

While the payload itself connects to known malicious domains like focusgroovy[.]com—linking it to previous MacSync campaigns—the delivery method represents a leap in sophistication.

“This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” the report warns.

The incident serves as a reminder that a “verified” app is not always a safe one. As the report concludes, “By leveraging these techniques, adversaries reduce the chances of being detected early on”.

Related Posts:

• macOS Threat: AppleScript (.scpt) Files Emerge as New Stealth Vector for Stealer Malware
• ChillyHell: A New macOS Backdoor Bypassed Apple Notarization for Years
• EU Launches DMA Probes: Is Gatekeeper Status Next for AWS & Azure Cloud?
• Beyond Cracked Apps: New macOS Malware Is Using the Terminal to Steal Data