MacSync Stealer Bypasses macOS Gatekeeper Using Apple's Own Notarization

A new variant of the MacSync Stealer has adopted a distribution method that effectively weaponizes Apple's own security infrastructure against its users. The malware ships as a code-signed and notarized Swift application, meaning macOS Gatekeeper and XProtect—Apple's built-in malware defenses—wave it through without warning.

Jamf Threat Labs documented the evolution in a December 22 report, noting that this variant abandons the "drag to terminal" and ClickFix-style social engineering that characterized earlier MacSync campaigns. Instead, it masquerades as a legitimate messaging app installer, requiring no command-line interaction from victims.

How It Works

The malware arrives inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, distributed through the domain zkcall.net/download. The installer presents itself as a voice-over-IP messaging application—nothing unusual about downloading a DMG for a new communication tool.

Because the application is signed with a valid Apple Developer certificate and has passed Apple's notarization process, double-clicking the installer produces no Gatekeeper warnings. The system treats it as trusted software.

Once launched, the application reaches out to attacker-controlled infrastructure to retrieve an encoded script, which it executes through a helper component. The actual malicious payload runs primarily in memory, leaving minimal forensic traces on disk.

The developers padded the DMG to 25.5MB by embedding decoy PDF files—a technique that makes the installer feel more legitimate while potentially complicating automated analysis. The malware also performs internet connectivity checks before executing, likely to detect sandboxed analysis environments.

The Notarization Problem

Apple introduced notarization in 2019 as an additional layer of software verification. Before distribution, developers submit applications to Apple for automated security scanning. Apps that pass receive a "ticket" that tells Gatekeeper the software has been reviewed.

The problem: notarization evaluates what exists at submission time, not what an application does after launch. A simple Swift binary that contacts a remote server doesn't trigger Apple's static analysis. The malicious behavior happens later, when the app fetches additional payloads from its command infrastructure.

This isn't a new evasion technique, but MacSync's implementation demonstrates how mature the approach has become. The threat actors built an application specifically designed to pass notarization's automated checks while reserving actual malicious functionality for runtime.

After Jamf reported the sample to Apple, the associated Developer Team ID was revoked. But certificate revocation is reactive—users who installed the malware before revocation remain compromised, and attackers can simply obtain new developer certificates.

MacSync's Rapid Growth

MacSync Stealer emerged around mid-2025 as a rebrand of Mac.c, a budget information stealer that first appeared in April. After a developer acquired and expanded Mac.c's capabilities, it quickly became a prominent macOS threat, infecting hundreds of machines within months of its rebranding.

The stealer focuses on the usual targets: browser credentials, cryptocurrency wallets, and sensitive files. Its modular architecture allows operators to customize data collection based on target profiles.

This latest variant represents a meaningful operational improvement. Earlier MacSync campaigns required victims to interact with Terminal—a red flag for many users and a friction point that reduced infection rates. The notarized installer approach removes that barrier entirely.

Detection and Response

Organizations running Jamf Protect or similar endpoint detection tools should ensure their solutions can identify this behavioral pattern. Key indicators include:

• Applications making immediate network connections after launch to retrieve external scripts
• Encoded payload execution through helper processes
• Minimal disk footprint combined with high memory activity

The specific DMG filename and distribution domain are useful for blocking, but attackers will rotate these. The behavioral pattern—notarized app fetching and executing remote payloads—is the more durable detection signal.

Individual Mac users should remain skeptical of unfamiliar applications, even when macOS doesn't display warnings. Notarization indicates that Apple's automated scans didn't find known malware signatures—it doesn't mean the software is safe.

Why This Matters

Apple's security model relies heavily on the assumption that signed and notarized applications can be trusted. MacSync's approach directly exploits that assumption, turning Apple's security infrastructure into a liability.

The fix isn't straightforward. More aggressive notarization analysis would catch more threats but also increase friction for legitimate developers. Runtime monitoring—watching what applications do after launch—provides better coverage but conflicts with Apple's privacy commitments.

For now, the gap between "Apple approved this" and "this software is safe" continues to widen. macOS security can no longer be taken for granted based on the absence of Gatekeeper warnings.