• Malware slips in without triggering security alerts
• Targeting sensitive data of high‑value users

Apple device management and information security experts have revealed that a new piece of malware known as MacSync Stealer is capable of infecting macOS devices by masquerading as a legitimate application, requiring minimal user interaction.

The report said that previous macOS campaigns required persuading users to run infected applications using intrusive techniques such as “ClickFix” social engineering or the advanced-user “drag-to-terminal” method.

MacSync Stealer differs in that it is downloaded from a link that appears to be an ordinary utility and comes as a code‑signed and notarized application approved by Apple.

Once installation begins, the malware dropper retrieves its files from a remote command-and-control server.

Oddly, the download link still instructs victims to right-click and select “Open,” even though the signed application does not technically require this step to complete the infection.

The danger lies in the fact that the malware carries a developer signature considered legitimate by macOS and has not been flagged as malicious, rendering security warnings ineffective and giving attackers an opportunity to bypass protections.

Apple device management confirmed that the application’s certificate was revoked only after the company was notified of the issue.

The malware primarily aims to steal data from high-value users, including account credentials, API keys, and cryptocurrency wallets.