macOS Trojan Upgraded: Disguised as Signed Applications, Crypto Users Face More Stealthy Risks

BlockBeats News, December 23, SlowMist Chief Information Security Officer 23pds shared that the MacSync Stealer malware, active on the macOS platform, has undergone significant evolution and user assets have already been stolen. The forwarded article mentioned that the malware has upgraded from early low-barrier inducement methods such as "drag to terminal" and "ClickFix" to a Swift application with code signing and Apple notarization, significantly increasing its stealthiness.

Researchers found that this sample is distributed as a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, luring users to download it by disguising itself as an instant messaging or utility application. Unlike before, the new version does not require any terminal operation by the user; instead, a built-in Swift helper program fetches and executes encoded scripts from a remote server to complete the information theft process.

This malicious program has completed code signing and Apple notarization, with the developer team ID GNJLS3UYZ4, and the relevant hash had not yet been revoked by Apple at the time of analysis. This means it has higher "credibility" under the default macOS security mechanisms, making it easier to bypass user vigilance. Research also found that the DMG file is unusually large and contains decoy files such as LibreOffice-related PDFs to further reduce suspicion.

Security researchers pointed out that this type of information-stealing trojan often targets browser data, account credentials, and crypto wallet information. As malware begins to systematically abuse Apple’s code signing and notarization mechanisms, crypto asset users on macOS are facing increasing risks of phishing and private key leakage.