macOS Trojan Upgrades: Spreading through Signed App, Encrypting Users Face More Covert Risk

By: theblockbeats.news|2025/12/23 06:52:00
0
Share
copy

BlockBeats News, December 23, SlowMist Chief Security Officer 23pds shared a post stating that the MacSync Stealer malware active on the macOS platform has undergone significant evolution, with user assets already being stolen. The article shared by him mentioned that from earlier reliance on "drag-and-drop to Terminal" and "ClickFix" and other low-threshold inducement methods, it has upgraded to code signing and through Apple notarized Swift applications, significantly improving its stealthiness.

Researchers found that this sample is being spread in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguised as instant messaging or utility applications to induce users to download. Unlike before, the new version no longer requires any terminal operation by the user but is pulled and executed by a built-in Swift helper from a remote server to complete the information theft process.

This malware has been code signed and notarized by Apple, with the developer team ID being GNJLS3UYZ4, and the related hash has not been revoked by Apple during analysis. This means that it has a higher "trust level" under macOS's default security mechanisms, making it easier to bypass user vigilance. Research also found that the DMG file is unusually large, containing decoy files related to LibreOffice PDFs, among others, to further reduce suspicion.

Security researchers pointed out that such information-stealing trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware begins to systematically abuse Apple's signing and notarization mechanism, cryptocurrency users in the macOS environment are facing an increasing risk of phishing and private key leaks.

Users are strongly advised to ensure that threat prevention and advanced threat control are enabled in Jamf for Mac and set to blocking mode to defend against these latest variants of information-stealing malware.

You may also like

Should You Buy Bitcoin Now? What the Data Says After a 50% Pullback

Should you buy Bitcoin now? Explore Bitcoin's nearly 50% pullback, ETF outflows, on-chain data, Strategy's BTC sale, and historical trends to assess whether July 2026 is a buying opportunity.

Founder of Baixing.com: I believe half of the statement that large language models devour everything

The internet has been shouting for so many years about devouring everything. Has it really devoured everything now? Is it the internet that devours everything, or is it the large models that devour everything? Both are devouring, and nothing is left?

A "legal" robbery? Attackers emptied the BonkDAO treasury by buying tickets

Handing over the keys to the vault to a public vote where "anyone can spend money to participate," without sufficient oversight mechanisms, even the most legitimate governance ideals may turn into the most convenient tools for attackers.

How has Binance's stock business performed in the 30 days since its launch?

Emerging market buying supported the first wave of demand.

WEEX P2P now supports BDT & LKR—Merchant Recruitment Now Open

To make crypto deposits easier, WEEX has officially launched its P2P trading platform and continues to expand fiat support. We're excited to announce that the Bangladeshi Taka (BDT) and Sri Lankan Rupee (LKR) are now available on WEEX P2P!

Morning News | SK Hynix officially launches the marketing promotion process for its U.S. stock listing; the Central Cyberspace Administration announces the results of the first phase of rectifying AI application chaos, with over 14,000 non-compliant pr...

July 6 Market Important Events Overview

Popular coins

Latest Crypto News

Read more
iconiconiconiconiconiconicon
Customer Support:@weikecs
Business Cooperation:@weikecs
Quant Trading & MM:bd@weex.com
VIP Program:support@weex.com