律动BlockBeats|Dec 23, 2025 06:30
MacOS Trojan Upgrade: Spreading by Disguising Signature Applications, Encrypting Users Face More Hidden Risks
BlockBeats News: On December 23rd, 23pds, the Chief Information Security Officer of SlowMist, shared in a post that the MacSync Stealer malware active on the macOS platform has clearly evolved and user assets have been stolen. The article forwarded by it mentioned that the Swift application has been upgraded from relying on low threshold inducement methods such as "drag and drop to terminal" and "ClickFix" in the early days to code signing and notarized by Apple, significantly improving its stealthiness.
The researchers found that the sample was spread in the form of disk images called zk call sensor installer 3.9.2-lts.dmg, which were disguised as instant messaging or utility applications to induce users to download. Unlike before, the new version does not require users to perform any terminal operations, but instead uses built-in Swift auxiliary programs to pull and execute coding scripts from remote servers to complete the information theft process.
The malicious program has completed code signing and has been notarized by Apple. The developer team ID is GNJLS3UYZ4, and the relevant hash has not been revoked by Apple at the time of analysis. This means that it has higher "credibility" under the default macOS security mechanism, making it easier to bypass user vigilance. The study also found that the DMG has an abnormally large volume and contains decoy files such as LibreOffice related PDFs to further reduce suspicion.
Security researchers point out that such information theft Trojans often target browser data, account credentials, and encrypted wallet information as their main targets. As malicious software begins to systematically abuse Apple's signature and notarization mechanisms, encrypted asset users are facing an increasing risk of phishing and private key leakage in macOS environments.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink