MacSync macOS Malware Distributed via Signed Swift Application

A recent MacSync Stealer version no longer requires users to directly interact with the terminal for execution.

The developers of a macOS malware named MacSync Stealer have updated their delivery mechanism, eliminating the need for direct terminal interaction, Jamf reports.

The MacSync Stealer emerged roughly half a year ago, as a rebrand of Mac.c, a macOS information stealer that was first seen in April 2025.

Mac.c was a cheap alternative to established macOS stealers, and was acquired by a malware developer who quickly expanded its capabilities and turned it into a prominent threat.

In addition to the information-stealing capabilities inherited from Mac.c, MacSync Stealer was retrofitted with backdoor capabilities through a fully-featured Go-based agent.

Similar to most macOS infostealers, it relied on social engineering techniques, such as ClickFix, to trick users into executing malicious scripts, leading to infection.

A recently observed sample, however, eliminates this step, taking ...