Cybersecurity experts have identified a new variant of the macOS information stealer named MacSync, which employs a digitally signed Swift application to evade Apple's security measures. This variant is packaged as a messaging app installer, specifically labeled "zk-call-messenger-installer-3.9.2-lts.dmg," and is available at "zkcall[.]net/download."
Jamf's researcher, Thijs Xhaflaire, highlighted that this particular version enhances its deceptive tactics compared to earlier iterations, adopting a more subtle approach to avoid detection. Though Apple has since revoked the code signing certificate, the application can still execute without being flagged due to its notarized status.
The dropper conducts various checks, including validating internet connectivity and enforcing execution intervals before downloading an encoded payload through a helper component. Notably, the command used to fetch the payload has been altered to improve reliability and evade detection, with changes in flag usage and additional options introduced. Furthermore, the DMG file's size has been inflated to 25.5 MB by including unrelated PDF documents, adding another layer of evasion.
Initially emerging in April 2025, MacSync is a rebranded variant of Mac.c, equipped with advanced capabilities for remote command and control beyond mere data theft, as reported by MacPaw's Moonlock Lab.