惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Troy Hunt's Blog
Scott Helme
Scott Helme
T
Threat Research - Cisco Blogs
T
Tenable Blog
L
LINUX DO - 热门话题
V
Visual Studio Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
Netflix TechBlog - Medium
SecWiki News
SecWiki News
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Project Zero
Project Zero
W
WeLiveSecurity
Microsoft Azure Blog
Microsoft Azure Blog
A
About on SuperTechFans
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
S
Securelist
Spread Privacy
Spread Privacy
L
LangChain Blog
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
MongoDB | Blog
MongoDB | Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
罗磊的独立博客
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Last Watchdog
The Last Watchdog
Attack and Defense Labs
Attack and Defense Labs
博客园 - 司徒正美
Help Net Security
Help Net Security
L
Lohrmann on Cybersecurity
人人都是产品经理
人人都是产品经理
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
PCI Perspectives
PCI Perspectives
博客园 - 【当耐特】
T
Tor Project blog

Jamf Blog

Jamf Nation Live 2026 London and Berlin: AI Governance and DDM 5 Mac Security Gaps Hiding in Your Apple Fleet Classroom Management Tools and Student Learning Outcomes Mobile forensics, minutes not weeks Turn Security Signals into Action with Jamf and Amplifier Security Strengthen Jamf Zero Trust Network Access With Dedicated Internet Gateway Jamf AI Assistant Now Available: Smarter Apple Device Management and Security MacBook Neo: The New Enterprise Entry Point for Mac at Scale Boost Employee Productivity in the Enterprise with Jamf Platform Authentication and Declarative Device Management: The Future of Apple Management Automation for Small IT Teams: Save Time Managing Macs What a lower-cost MacBook Neo means for education Where Apple Meets the Enterprise: Jamf’s Interoperability Advantage for Secure, Automated Access Control Simplify access, secure your apps: why SSO matters for K-12 Inside Predator’s kernel engine RSA Conference 2026 recap: AI security, enterprise mobile security and the shift to connected security platforms ClickFix technique uses Script Editor instead of Terminal on macOS Why Mac configurations fall out of sync — and how to fix them G2 names Jamf in its 2026 Best Software Awards across three categories Empowering Mac users: How Jamf Self Service+ reduces tier one support overhead for enterprise IT teams Privacy by default, flexible when required: introducing limited privacy in Jamf Safe Internet From arrival to discharge: how iOS is reimagining the healthcare journey Federated Identity Management for K-12 Education Identity and access management in K-12 schools OpenClaw: the helpful AI that could quietly become your biggest insider threat Get Started with Scripting Series: macOS Terminal, Scripting and Jamf Pro API Managing Apple devices at Black Hat Europe with Jamf Scaling device deployments without scaling your IT team How Predator spyware defeats iOS recording indicators Making Mac work in a PC world The hidden costs of manual device provisioning Threat Actors Expand Abuse of Microsoft Visual Studio Code Mac management and security for lean IT teams Automated certificate management and device security integration The hidden risks in your mobile apps “Mac in 2026: Secure by Design Meets the Enterprise” webinar Jamf named a Unified Endpoint Management leader…again! Jamf recognized as a Leader in 2026 Gartner® Magic Quadrant™ for Endpoint Management Tools Predator’s kill switch: undocumented anti-analysis techniques in iOS spyware 2026: what to expect in tech Retail runs on iOS: Let’s take a tour through Jamf’s booth at NRF 2026 Jamf After Dark: How WorkBrew solves Homebrew security and compliance for Mac developers Managing emerging technologies: A playbook for modern IT leaders How schools can maximize learning using Apple devices and Jamf Practical intelligence: why it matters for enterprise teams Jamf Connect Q&A Jamf After Dark October recap: platform progress, identity shifts and security insights Powering managed virtualization and Windows app delivery in Mac-first enterprises FlexibleFerret malware continues to strike Managing Jamf configuration with Terraform and GitOps workflows Back to security basics: phishing Introducing the Jamf 140 Course HIMSS 2026 recap Introducing Beacon by Jamf Threat Labs GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer Android and Jamf: manage and secure your mobile fleet Social engineering in K-12 for beginners Jamf Nation Live 2026: Hands-On Apple Expertise Across Six Cities Developer Mode-as-a-Defense: How iOS Security Features Deter Nation-State Spyware Stop chasing passwords: how school IT can reduce reset tickets Bring Your Own Key (BYOK): Take Control of Your Encryption in Jamf Cloud DarkSword iOS Exploit Kit: 3 Lessons for Mobile Security Threat Labs Jamf Training Celebrates 20 Years of Apple IT Education and Certification Balancing Safety and Learning: K-12 Content Filtering for IT Admins Why Mac security updates take too long and how to fix it Why the Jamf platform is the natural foundation for MSPs Jamf After Dark: mobile forensics Introducing the redesigned Mac threat prevention. Now available in beta.  Beyond access: rethinking the complete Apple deployment strategy for education Gain faster updates and real-time fleet visibility with DDM What the Canvas breach tells us about the state of education security Why K-12 students need web filtering that travels with their devices Jamf spotlighted in Okta Businesses at Work 2026 Report Jamf Nation Live 2026 recap MobiDash internals: ghost clicks and SSH tunnels in commercial adware Tech Partner Spotlight: Jamf + SmallStep MacBook Neo in K-12 Closing the gaps: How Jamf protects macOS and iOS with real-time threat prevention MSP engineering: The art of scoping in Jamf Pro at scale Mac in education is evolving. Jamf School makes it simple Why Apple devices deserve security built for them Seamless Learning Access: Simplicity that puts learning first Reducing IT firefighting: Fewer failed updates, less manual cleanup Apple WWDC26: Keynote recap How Jamf helps maximize your Microsoft investments MTE as a microscope WWDC26: Key takeaways for education institutions WWDC26: Key takeaways for Apple admins The JNUC 2026 session catalog is live — and the clock is ticking Jamf After Dark: Why we moved 1,900+ Apple devices back to Jamf AI governance for Mac: bringing AI under management AI Adoption Is High, Governance Is Lagging Klue Third-Party Cybersecurity Incident How Identity Automation, Claris, and Jamf Simplify Apple Workflows for Education What Is AI Governance? How Proactive Device Status Reporting Transforms Mac Fleet Visibility AI Governance on Mac: A Practical Guide for IT and Security Teams Restaurants Run on iOS: Jamf and IPORT at the NRA Show AI Governance on Mac: A Practical Guide for IT and Security Teams PamStealer: macOS Malware Posing as Clipboard Manager App
From ClickFix to code signed: the quiet shift of MacSync Stealer malware
Jamf Threat Labs · 2026-04-11 · via Jamf Blog

Learn how MacSync Stealer malware has evolved from drag-to-terminal tricks to sophisticated code-signed Swift applications.

A lit Christmas tree is in the foreground of a dark room. A present lays at its base, emblazoned with a malicious app's icon

By Thijs Xhaflaire

Introduction

While reviewing the detections of our in-house YARA rules, Jamf Threat Labs observed a signed and notarized stealer that did not follow the typical execution chains we have seen in the past. The sample in question looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design.

Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach. Delivered as a code-signed and notarized Swift application within a disk image named zk-call-messenger-installer-3.9.2-lts.dmg , distributed via https://zkcall.net/download, it removes the need for any direct terminal interaction. Instead, the dropper retrieves an encoded script from a remote server and executes it via a Swift-built helper executable.

Jamf Threat Labs has also observed the Odyssey infostealer adopting similar distribution methods in recent variants. Surprisingly, the familiar right-click open instruction is still present in this sample even though the executable is signed and does not require this step.

window with zk-call and messenger, telling the user to right click and then hit open.

Installation instructions

After inspecting the Mach-O binary, which is a universal build, we confirmed that it is both code signed and notarized. The signature is associated with the Developer Team ID GNJLS3UYZ4.

Installer details showing notarization

We also verified the code directory hashes against Apple’s revocation list, and at the time of analysis, none had been revoked.

SHA1, Symhash and CDHash hashes and details showing no revocation

Hashes, none of which are revoked

Another notable observation is the unusually large size of the disk image (25.5MB), which appears to be inflated by decoy files embedded within the app bundle. These include PDFs related to LibreOffice applications.

List of files in the disk image, including two large PDFs to inflate its size

Disk image containing decoy files to inflate its size

At the time of analysis, some of the samples uploaded to VirusTotal were detected by only one antivirus engine, while others were flagged by up to thirteen. Most engines classify them as generic downloaders associated with either the coins or ooiid malware families.

After confirming that the Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported it to Apple. Since then, the associated certificate has been revoked.

Initial detection

Most payloads related to MacSync Stealer tend to run primarily in memory and leave little to no trace on disk. Earlier variants are often flagged by Jamf's advanced threat controls, as they typically rely on either a drag-to-terminal approach, where users drop a script file into Terminal, or a ClickFix-style technique that tricks users into pasting a base64 encoded command. In both cases, the payload is decoded using base64 -D, decompressed with gunzip, stored in a variable and executed using eval. This then results in the fetching of a second-stage payload via curl.

In this case, however, it was a threat prevention (YARA) rule monitoring for the execution of obfuscated bash scripts that alerted us, highlighting a subtle but important deviation from previously seen behavior.

Looking at the matched event showed a shell script running at /tmp/runner which raised our suspicions.

The matched event showing a script path in /tmp

Upon further inspection of the matched event, reviewing the responsible process object tied to the script execution becomes revealing, as we can clearly see it was launched from a signed application. The appPath also indicates it is being executed directly from within a mounted disk image, adding to the suspicion.

App path details; app path is in in /Volumes/

App path details

After analyzing the /tmp/runner payload, it becomes clear this is the same script previously seen in MacSync Stealer campaigns. In earlier variants, it was typically executed without being written to disk.

Obfuscated payload

Obfuscated payload

Once decoded, the base64 payload is a match to the usual MacSync Stealer. The same focusgroovy[.]com domain was used in previous payloads as well as an identical daemon_function().

Deobfuscated payload showing a daemon_function used in other MacSync Stealers

Decoded payload

A brief analysis of the Swift-based Mach-O

_main

This section will focus on the universal runtimectl Mach-O binary that comes packaged with the malicious application bundle to validate the earlier observed behavior. The _main function serves as the entry point for the binary. It sets up the application’s state and logging paths, performs a basic internet connectivity check, and if successful, retrieves the second-stage payload.

After resolving the user’s home directory using _NSHomeDirectory(), the application builds several paths for its operation. It creates a log file at ~/Library/Logs/UserSyncWorker.log to record activity and then creates a directory at ~/Library/Application Support/UserSyncWorker/. Within that directory, it maintains additional files such as last_up and gate, used to track execution timing and update state. These files are only created if they do not already exist from previous executions.

The _main function in the Mach-O binary

The _main function in the Mach-O binary

A log message indicating the start of execution is written to ~/Library/Logs/UserSyncWorker.log, and a minimum interval of approximately 3600 seconds is defined, likely to prevent the executable from running multiple times within a short period.

Next, the application performs a conditional check for internet access by calling checkInternet(). Only if connectivity is confirmed does it proceed to execute runInstaller().

A check for internet access and the logging of a string

Checking for internet access

After calling runInstaller() (discussed later), the string Starting update... is logged using log().

If no internet connection is available, another message preflight: internet=false is logged, and the process exits cleanly using _exit(1).

Regardless of the path taken, the application retrieves the current date and time, formats it into a localized string and prints it to the console using print(). It then creates or updates the log file at ~/Library/Logs/UserSyncWorker.log.

This conditional execution logic, tied directly to network availability, reflects an effort to avoid execution in offline or sandboxed environments.

_runInstaller()

A closer look at therunInstaller() function sheds light on how the dropper executes its second-stage payload.

The runInstaller() function implements the full second stage execution logic and acts as a downloader and execution routine. It begins by enforcing a rate limit by reading a previously stored timestamp from a file located in ~/Library/Application Support/UserSyncWorker/last_up. If the file does not exist or if the last recorded execution was more than approximately 3600 seconds ago, the routine proceeds. Otherwise, it logs a message indicating that execution is being deferred due to rate limiting and exits. Below, example log entries indicate an execution has been rate limited.

Once the timing conditions are met, the application invokes checkInternet() again and logs the result. It then removes any previously dropped files from /tmp, such as /tmp/runner. Below are example log entries showing that the preflight internet check was successful.

Next, the function prepares a conditional HTTP request to: https[:]//gatemaden.space/curl/985683bd660c0c47c6be513a2d1f0a554d52d241714bb17fb18ab0d0f8cc2dc6 with a specific user agent UserSyncWorker/1.0 (macOS).

A conditional HTTP request

HTTP request

This request is built using /bin/zsh -lc through NSTask, and the payload is written to /tmp/runner along with headers for validation in /tmp/runner.headers.

Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants. Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like --noproxy have been introduced. These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection.

The Curl command for retrieving the payload

Curl command for retrieving the payload

Before launching the payload, the function removes the com.apple.quarantine attribute via removeQuarantine(at:) and ensures the file is executable using _NSFilePosixPermissions with permissions 750 being set.

function clearing the com.apple.quarantine extended attribute

Prior to payload execution, the function clears the com.apple.quarantine extended attribute

Basic validation is performed by first checking if the payload is a script. This is done by shelling out to /usr/bin/file --mime-type -b flags on /tmp/runner and confirming the returned value matches text/x-shellscript. It also runs a separate /usr/bin/file -b command to validate that the output contains the expected string, such as Paul Falstad's zsh script text executable, ASCII text to ensure it's a zsh script. A Gatekeeper check is then performed using spctl -a -v to ensure the downloaded file passes Apple’s security policy.

Finally, after execution completes, the /tmp/runner payload is deleted from disk and the current timestamp is written back to disk at ~/Library/Application Support/UserSyncWorker/last_update to enforce the minimum interval before the next run.

Overall, runInstaller() implements a layered, stateful and evasive dropper routine. It combines environment checks, throttling logic and network requests with conditional updates, Gatekeeper evasion and lightweight validation, all wrapped in a native Swift executable for stealth and persistence. Once the payload has been executed, the typical osascript dialog appears, followed by other behaviors commonly associated with MacStealer activity.

Conclusion

While MacSync Stealer itself is not entirely new, this case highlights how its authors continue to evolve their delivery methods. We have not previously observed this specific dropper, which arrives as a Swift-based, code-signed and notarized application that silently retrieves and executes a second-stage payload.

This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications. By leveraging these techniques, adversaries reduce the chances of being detected early on.

Jamf Threat Labs will continue to track these developments as threat actors refine their tactics and explore new ways to deliver macOS malware.

We strongly recommend that customers ensure threat prevention and advanced threat controls are enabled and set to block mode in Jamf for Mac to stay protected against these latest infostealer variants.

Indicators of compromise

Indicators of compromise (IoCs) are listed below. You can also explore the full collection on VirusTotal.

Dive into more Jamf Threat Labs research on our blog.