macOS Trojan Update: Spreading through Signed App with User Data Encryption Poses Increased Stealth Risk

On December 23, SlowMist Chief Security Officer 23pds shared a post noting that the **MacSync Stealer** malware—active on macOS—has undergone significant evolution, with user assets already compromised. Early versions relied on "drag-and-drop to terminal" and "ClickFix" tactics to trick users; the latest iteration has upgraded to **code-signed, Apple-notarized Swift applications**, drastically boosting stealth. Researchers identified the sample spreading via a disk image (DMG) named `zk-call-messenger-installer-3.9.2-lts.dmg`, disguised as an instant messaging or utility app to lure downloads. Unlike prior variants, the new version requires no terminal actions from users—instead, a built-in Swift helper fetches and runs code from a remote server to execute information theft. The malware is fully code-signed and notarized by Apple, with developer Team ID `GNJLS3UYZ4`. At the time of analysis, Apple had not revoked its associated hashes, granting it higher "trustworthiness" under macOS’s default security settings and making it easier to bypass user vigilance. The DMG also has an unusually large size, containing bait files like LibreOffice-related PDFs to further reduce suspicion. Security researchers note such info-stealing trojans typically target browser data, account credentials, and cryptocurrency wallet details. As malware increasingly abuses Apple’s signing and notarization systems, macOS-based cryptocurrency users face growing risks of phishing attacks and private key exposure.