2025-12-23 07:30:21

Recently, the security community shared an important warning: the MacSync Stealer malware active on the macOS platform has completed a rather covert technical upgrade.

From the earlier low-level "drag to terminal" and "ClickFix" inducement techniques, this has evolved into legitimate code signing + Apple notarized (notarized) Swift applications. It looks like a legitimate software because it has gained higher "trustworthiness" under Apple's protective framework—this is the most dangerous aspect.

What makes it even trickier is that the method of spread has become smarter. Malware is disguised as the zk-call-messenger-installer-3.9.2-lts.dmg file, posing as an instant messaging tool to attract you to download it. Moreover, the new version is particularly cunning—there's no need for users to type commands in the terminal; all the dirty work is handled by the built-in Swift helper program, which pulls scripts from a remote server to execute and complete data theft.

Security researchers pointed out that the developer team ID of this sample is GNJLS3UYZ4, and the related hash has not yet been revoked by Apple. This means that under the default macOS security mechanisms, it can easily bypass the vigilance of most users. The sample also employs a particular sleight of hand— the DMG file is unusually large, stuffed with PDF files related to LibreOffice as a cover.

Users have already lost assets because of this. macOS users should not let their guard down and think twice when downloading applications.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

11 Likes

Reward
11
5
Repost
Share

Comment

0/400

TheMemefather

· 2025-12-25 23:43

Are Apple notarizations really foolproof? These hackers' tech stacks are getting more and more outrageous. --- Mac users are about to suffer again, this time disguising as instant messaging tools. Who would have thought? --- Pulling scripts directly from the server and executing them, no need to type terminal commands anymore. That's truly terrifying. --- Embedding liboffice inside a dmg file as a cover, this sleight of hand is quite clever. --- The revocation didn't even revoke anything. Apple's review capabilities are really concerning. --- The assets were lost before the warning was issued. Isn't that a bit late, everyone? --- It seems that malicious software disguised as legitimate apps is the most dangerous. Who dares to click? --- This team ID has been exposed, and they're still active? Unbelievable. --- Mac really is becoming a playground for hackers.

View OriginalReply0

FadCatcher

· 2025-12-24 15:44

Is this the same trick again? Can Apple's notarization be bypassed? Then is my asset still safe?

View OriginalReply0

ChainSherlockGirl

· 2025-12-23 07:57

According to my analysis, this thing is really daring to play now - directly using Apple's notarization to appear legitimate, this is even worse than naked scam. Attention, bystanders, wallets are not only risky on-chain; your Mac also needs to be cautious, especially those applications that look particularly "orthodox", as they are often the most deceptive. Remember this team ID GNJLS3UYZ4. Risk reminder: search first before downloading, don't rush.

View OriginalReply0

not_your_keys

· 2025-12-23 07:50

Apple's code signing is no longer safe, who the hell can defend against this? --- Another thing disguised as a communication software, the old trick but indeed ruthless. --- Malware written in Swift? The technical content has risen, it seems. --- dmg files stuffed under LibreOffice as a cover? This logic is too peculiar. --- With assets being stolen, it really can't hold up, you still have to be more cautious. --- The fact that code signing has been bypassed shows what? Apple's protection is just so-so. --- The filename zk-call is really perfunctory, who would really believe this is a communication tool? --- The team number GNJLS3UYZ4 should have been nailed down, how is it still floating? --- Directly pulling scripts from the server for execution, they have made it a one-stop service.

View OriginalReply0

LayerZeroJunkie

· 2025-12-23 07:41

Mac users are in for more trouble, this time even Apple's notarization can be fooled, it's unbelievable.

View OriginalReply0