Cybersecurity researchers at Jamf have discovered a new variant of the MacSync macOS information stealer that uses a digitally signed, notarized Swift application to bypass Apple’s Gatekeeper and XProtect security controls.
The malware is distributed as a code-signed and notarized Swift application within a disk image file named “zk-call-messenger-installer-3.9.2-lts.dmg” hosted on a malicious domain. Being signed and notarized means the app can run without being flagged by macOS built-in security controls — though Apple has since revoked the code signing certificate.
The Swift-based dropper performs evasion checks including verifying internet connectivity, enforcing a minimum execution interval of ~3600 seconds, removing quarantine attributes, and using obfuscated curl commands. The payload is MacSync, a rebranded version of the Mac.c stealer that first emerged in April 2025, featuring a fully-featured Go-based backdoor with remote command and control capabilities.
Researchers noted this reflects a broader trend of macOS malware increasingly using signed and notarized executables to bypass Apple’s defenses.