MacSync Stealer Uses Signed macOS App to Evade Gatekeeper and Steal Data

What happened

MacSync Stealer uses signed macOS app to evade Gatekeeper and steal data after security researchers at Jamf Threat Labs discovered a new variant of the MacSync information-stealing malware that is distributed as a legitimately code-signed and notarized Swift application to bypass Apple macOS Gatekeeper protections. Unlike earlier variants that relied on complex manual techniques, this version arrives as a signed, notarized disk image masquerading as a trusted application, enabling it to evade warnings about unidentified developers. The stealer can install backdoors for persistent access, harvest stored credentials and browser data, and target cryptocurrency wallet information. Attackers obtain legitimate developer certificates through theft, compromised accounts, or fraudulent identities to make the malware appear authentic, and a command-and-control server, including focusgroovy[.]com, is used to fetch additional payloads. 

Who is affected

macOS users and organizations with Apple device fleets are at risk of data theft and persistent compromise if the malicious software is installed, especially through deceptive distribution channels.

Why CISOs should care

Signed malware that bypasses platform security controls like Gatekeeper can undermine endpoint defenses, highlighting the need for enhanced application control, code integrity verification, and robust monitoring of macOS environments.

3 practical actions

• Harden application control: Enforce strict policies that block or scrutinize unsigned and unfamiliar signed applications.
• Enhance endpoint monitoring: Deploy detection for anomalous or persistent processes linked to unauthorized app installations.
• Audit developer certificates: Track and revoke suspicious or unused code-signing certificates in enterprise environments.