Researchers discovered that this version of MacSync is delivered via a disk image that has been intentionally inflated with decoy PDF files to evade automated detection systems. The malware acts as a dropper that decodes a payload once it passes initial security checks and verifies an active internet connection. To cover its tracks, the infection process includes a self-cleaning mechanism that deletes the scripts used during the initial execution phase.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

Originally emerging in early 2025 under the name Mac.C, the stealer was developed by a threat actor known as Mentalpositive. It has quickly become a prominent competitor to other established macOS malware like AMOS and Odyssey. This particular iteration is designed to be user-friendly for the victim, removing the need for any manual technical interaction that might otherwise raise suspicion during the installation process.

The primary objective of the software is the wholesale theft of sensitive user data, including iCloud keychain credentials and browser-stored passwords. It also targets cryptocurrency wallets, system metadata, and specific files located within the computer’s directory. Its ability to navigate the filesystem makes it a high-risk threat to personal and financial information stored on compromised devices.

The shift toward notarized applications was a calculated move by the developer to adapt to Apple’s increasingly strict security policies. By obtaining official notarization, the malware author successfully turned a security feature intended to protect users into a cloak for malicious activity. This development confirms that macOS threat actors are becoming more sophisticated in their efforts to mimic legitimate software distribution channels.

Source: New Macsync Malware Dropper Evades Macos Gatekeeper Protections