New MacSync Malware Bypasses macOS Gatekeeper to Steal Crypto

A new variant of the MacSync malware is actively targeting macOS users. Security researchers warn that it can bypass Apple’s built in protections. It can steal sensitive data, including cryptocurrency wallets. The alert came from SlowMist, after its chief information security officer reported that some users have already suffered asset losses. The malware marks a shift in macOS threat sophistication. Unlike older versions, this variant evades detection while appearing legitimate to the operating system.

How the Malware Evades macOS Security

The new MacSync variant can bypass macOS Gatekeeper. It’s a system designed to block untrusted applications. According to researchers, the malware uses several layered techniques to avoid detection. These include file bloat to disguise malicious code. With network verification to confirm execution environments and self-destruct scripts that remove traces after running. 

As a result, the malware often leaves little evidence on disk. Once executed, it targets highly sensitive data. This includes iCloud keychains, browser stored passwords and cryptocurrency wallet files. In many cases, attackers gain full access before users realize anything is wrong.

Shift to Code Signed Malware Raises Risk

Further analysis from Jamf Threat Labs shows the malware has evolved in its delivery method. Earlier MacSync versions relied on social engineering tricks. Such as drag-to-terminal commands or manual script execution. However, the new variant arrives as a code-signed and notarized Swift application. It is distributed inside disk image files that look like legitimate installers. This allows it to pass initial macOS checks without triggering warnings.

After launch, the application quietly downloads and executes a second stage payload. Much of this activity runs in memory. It is reducing the chance of detection by traditional antivirus tools. Researchers say this reflects a broader trend. More macOS malware now uses signed and notarized executables to appear trustworthy and delay discovery.

Crypto Wallets Remain a Primary Target

The malware focus on crypto wallets highlights rising risks for digital asset holders. Once attackers extract private keys or recovery data. Stolen funds are usually unrecoverable. Reports indicate that some affected users lost crypto shortly after infection. There were no signs of forced transactions or exchange hacks. Instead, attackers accessed wallets directly from compromised devices. Security experts warn that crypto users are especially vulnerable. Many store wallets, browser extensions and credentials on personal laptops without additional safeguards.

What Users Should Do Now

SlowMist urged macOS users to avoid downloading software or plugins from unknown sources. Even installers that appear legitimate may carry hidden risks. Experts also recommend enabling advanced threat protection tools. While keeping systems updated and storing crypto assets in hardware wallets when possible. Users should treat any unexpected installer or security prompt with caution. In fact, as attackers refine their techniques, macOS is no longer a low-risk environment. For instance, the MacSync case shows that even built-in protections can be bypassed. Consequently, for crypto holders, vigilance remains essential.