Threat Advisories:
CVE-2025-14847: Critical MongoDB Memory Leak Exposes Sensitive Data MacSync A Notarized macOS Malware That Slips Past Gatekeeper December 2025 Linux Patch Roundup Automation Gone Rogue: CVE-2025-68613 Puts n8n Instances at Risk Prince of Persia APT Campaigns Across Iran, Europe, and Beyond GhostPoster: A Multi-Stage Malware Campaign Hiding Inside Firefox Extensions GachiLoader Deployed via the YouTube Ghost Network CVE-2025-20393: Critical Cisco AsyncOS Zero-Day Actively Exploited SonicWall SMA Flaw Leads to Unauthenticated Root Access Fortinet Authentication Bug Sparks Rapid Exploitation Apple WebKit Zero-Days Exploited in the Wild SantaStealer: An Emerging MaaS Infostealer Ahead of Its 2025 Debut Phantom Stealer Hidden in Fake Bank Confirmations Google Chrome Zero-Day Exploited in ANGLE Graphics Engine BRICKSTORM Breaks In: China’s Quiet Grip on US Virtual Stack The Gogs Blind Spot: A Zero-Day Fueled Mass Compromise Echoes Over UDP: MuddyWater’s Covert Backdoor Strikes Microsoft December 2025 Patch Tuesday Roundup China-Linked Operators Breach Japanese Shipping Networks ShadyPanda’s Seven-Year Operation Built a Browser Extension Spy Empire
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

MacSync A Notarized macOS Malware That Slips Past Gatekeeper

Amber | Attack Report
Download PDF

MacSync Stealer: Advanced Notarized macOS Malware Bypasses Gatekeeper Security

MacSync Stealer represents a significant evolution in macOS malware threats, marking a sophisticated escalation in information-stealing malware targeting macOS users worldwide. First identified in 2025, this advanced macOS malware exploits Apple’s trusted code-signing and notarization processes to bypass macOS Gatekeeper protections without requiring any user interaction. The MacSync malware demonstrates how adversaries are increasingly abusing legitimate platform security mechanisms rather than attempting to break them.

This notarized macOS threat leverages trusted digital signatures and Apple notarization to masquerade as a legitimate messaging application installer. By carrying valid digital signatures that have successfully passed Apple’s notarization process, MacSync Stealer creates a false sense of security, allowing malicious payloads to deploy silently. The malware’s sophisticated approach includes execution-chain cleanup, decoy file embedding, and connectivity verification to evade detection and sandbox analysis.

MacSync Stealer targets sensitive user and enterprise data through credential-harvesting routines and data exfiltration capabilities. The information-stealing malware orchestrates its infection chain using a Swift-based helper component that verifies internet connectivity, executes malicious scripts, and systematically exfiltrates compromised information. This latest variant underscores the growing risk posed by notarized threats that exploit trust-based security models, highlighting critical vulnerabilities in relying solely on pre-execution trust signals for macOS security.

Attack Details

MacSync Malware Exploitation of Apple Notarization and Code-Signing

MacSync Stealer represents a marked escalation in macOS malware sophistication, delivered as a fully code-signed and notarized Swift application. This notarized macOS malware is capable of deploying malicious payloads without any user interaction, effectively bypassing the traditional trust signals that macOS users rely upon for security verification. The malware’s ability to abuse Apple’s security infrastructure demonstrates a fundamental shift in macOS threat landscape.

The latest MacSync variant masquerades as a legitimate messaging application installer distributed through the malicious domain zkcall[.]net. Because the MacSync application carries valid digital signatures and has successfully passed Apple’s notarization process, macOS Gatekeeper raises no security warnings during installation. This allows the infection to proceed silently, exploiting user trust in Apple’s security mechanisms.

MacSync Infection Chain and Credential Harvesting Operations

Once executed, the MacSync dropper retrieves an obfuscated script from its command-and-control infrastructure. A Swift-based helper component named runtimectl orchestrates the entire MacSync infection chain by verifying internet connectivity, executing credential-harvesting routines, and systematically exfiltrating sensitive information from compromised macOS systems. This automated approach enables efficient data theft without alerting users.

To further evade detection by security tools, MacSync malware inflates its DMG package size to over 25 MB by embedding decoy PDF files. The malware removes execution artifacts after use, performs connectivity checks to avoid sandboxed analysis environments, and implements multiple anti-analysis techniques. The result is a stealthy, trust-abusing delivery mechanism that exploits Apple’s security model rather than breaking it, highlighting a significant shift toward abuse of legitimate platform protections as a primary attack vector in macOS malware campaigns.

Recommendations

Strengthen Apple Notarization Review Processes for MacSync-Type Threats

Organizations and security teams should expand analysis of notarized macOS applications to detect obfuscated scripts, suspicious network behavior, and abnormal bundle inflation tactics commonly employed by advanced macOS malware like MacSync Stealer. Enhanced scrutiny of notarized applications can help identify malicious code-signed applications that bypass Gatekeeper protections through legitimate channels.

Enforce Runtime Behavioral Monitoring for MacSync Detection

Deploy comprehensive endpoint security solutions capable of monitoring post-installation behavior on macOS systems, including script execution, credential access attempts, and unauthorized data exfiltration activities. Organizations should shift away from relying solely on pre-execution trust signals and implement behavioral analysis to detect MacSync malware and similar notarized threats that abuse Apple’s security model.

Monitor for MacSync Artifact Cleanup and Evasion Tactics

Security teams should implement detection mechanisms for behaviors such as script self-deletion, decoy file usage, and environment checks that indicate attempts to evade sandboxing or forensic analysis. Monitoring for these MacSync-associated evasion tactics can help identify sophisticated macOS malware campaigns that employ anti-analysis techniques to maintain persistence while avoiding detection.

Indicators of Compromise (IoCs)

MacSync Malware File Hashes and Network Indicators

Filenames:

  • zk-call-messenger-installer-3.9.2-lts.dmg
  • co.runtime.helper.b3f9a2.dmg

SHA256 Hashes:

  • be961ec5b9f4cc501ed5d5b8974b730dabcdf7e279ed4a8c037c67b5b935d51a
  • 4ae745bc0e4631f676b3d0a05d5c74e37bdfc8da3076208b24e73e5bbea9178f
  • ecfaa20f25e11878686249c7094706bc3dcd2dc0ace0f2932a39d1bfdac85863
  • 7cfe0b119e616ac81ddb1767a5c7f40bec67d91fdd66e53490c0225789537073
  • 06c74829d8eee3c47e17d01c41361d314f12277d899cc9dfa789fe767c03693e
  • c4d3e5cdb264eded917cd61b8131c40715c0ee3f4d2c94c84d60fa295ca4ed97
  • 9990457feac0cd85f450e60c268ddf5789ed4ac81022b0d7c3021d7208ebccd3
  • 9d43e059111460c4f81351a062fb7eb7dbfd34988a06d756c7206f330c06cb42
  • 2e671bd9673d174de9b4ad8fd03049859e1d2d17ac9bc49ecc5d736505002937

Malicious URL:

  • hxxps[:]//gatemadenp.]space/curl/985683bd660c0c47c6be513a2d1f0a554d52d241714bb17fb18ab0d0f8cc2dc6

Malicious Domains:

  • focusgroovy[.]com
  • zkcall[.]net

MITRE ATT&CK TTPs

MacSync Stealer Tactics, Techniques, and Procedures

Execution (TA0002):

  • T1059: Command and Scripting Interpreter

Persistence (TA0003):

  • T1543: Create or Modify System Process

Defense Evasion (TA0005):

  • T1553: Subvert Trust Controls
  • T1553.002: Code Signing
  • T1553.001: Gatekeeper Bypass
  • T1027: Obfuscated Files or Information
  • T1027.010: Command Obfuscation
  • T1140: Deobfuscate/Decode Files or Information
  • T1497: Virtualization/Sandbox Evasion
  • T1497.001: System Checks
  • T1070: Indicator Removal
  • T1070.004: File Deletion
  • T1036: Masquerading

Credential Access (TA0006):

  • T1555: Credentials from Password Stores

Discovery (TA0007):

  • System and environment discovery techniques

Collection (TA0009):

  • T1005: Data from Local System

Command and Control (TA0011):

  • T1071: Application Layer Protocol
  • T1071.001: Web Protocols

Exfiltration (TA0010):

  • T1041: Exfiltration Over C2 Channel

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox