MacSync Stealer: How a MaaS Infostealer Is Quietly Draining macOS Endpoints

A sophisticated macOS infostealer campaign is actively targeting government and enterprise endpoints. MacSync Stealer; distributed as a Malware-as-a-Service (MaaS) operation, has evolved through three distinct campaigns since November 2025, each iteration demonstrating deliberate adaptation to macOS security controls.

The Cyber Threat Intelligence team at the Center for Internet Security has uncovered an active MacSync Stealer campaign targeting macOS systems. The February 2026 campaign variant, confirmed to have impacted state, local, tribal, and territorial (SLTT) government organisations in the United States, now employs a fileless, in-memory execution architecture that sidesteps conventional endpoint detection. If your organisation deploys macOS at scale, this campaign demands your attention now.

In parallel reporting, Red Piranha Threat Intelligence has also identified MacSync as an active malware family targeting macOS environments. The campaign abuses code signing and the notarisation workflow, Apple’s process for validating third party applications, to bypass Gatekeeper protections designed to ensure only trusted software executes on macOS systems.

The malware incorporates multiple defensive evasion techniques, including decoy files, execution chain cleanup, and sandbox detection to hinder analysis and detection. Its primary objective is credential harvesting and data exfiltration.

This behaviour highlights how attackers are systematically adapting their tradecraft to exploit trusted platform controls introduced by Apple, turning security mechanisms into an additional layer of social and technical trust that can be manipulated to facilitate compromise.

The Setup

Following a submission from an impacted organisation, the Center for Internet Security Cyber Threat Intelligence team uncovered a broader opportunistic campaign using fake CAPTCHA pages and ClickFix lures delivered via search engine optimisation poisoning.

The payloads were designed to maximise impact across multiple web browsers. CIS assesses it is highly likely threat actors will continue using ClickFix variants throughout 2026 due to the technique’s scalability, low barrier to entry, and ability to compromise large numbers of victims quickly. The advisory includes indicators of compromise and mitigation guidance to support defensive response.

ClickFix is a social engineering technique that exploits user trust rather than a software vulnerability. Victims are presented with a convincing error, CAPTCHA, or security prompt claiming that an issue must be fixed.

When the user clicks the provided button, they are instructed to paste and execute a command, typically through PowerShell or a terminal, which initiates the download and execution of malware. This approach bypasses many technical controls by relying on user interaction as the execution vector.

Red Piranha Threat Intelligence has also reported on the increasing use of ClickFix, reinforcing that this technique is becoming a preferred initial access vector due to its effectiveness, simplicity, and ability to evade traditional security controls.

The intrusion begins with routine user action. An employee sits at a Mac and performs a standard web search, often looking for a free PDF or similar content. Among the top search results appears a site that looks credible and relevant. The user clicks, expecting to download the document.

Instead, the page presents what appears to be a legitimate security verification step. It resembles a CAPTCHA and instructs the user to open Terminal and paste a command to proceed. Because the page looks authentic and aligns with familiar security workflows, the request does not immediately raise suspicion. The user complies.

That single command execution is sufficient to compromise the system. Within minutes, sensitive data is exfiltrated, including browser credentials, session cookies, SSH private keys, AWS credentials, Keychain data, shell history, and Apple Notes. The information is transmitted to attacker-controlled infrastructure.

This is the MacSync Stealer campaign. It is currently active, specifically targeting macOS users in government and enterprise environments, and it demonstrates a level of sophistication that many organisations still underestimate.

A Malware Business, Run Like a Business

MacSync Stealer is not custom-built for each intrusion. It is a commercial Malware as a Service offering leased to cybercriminal operators who deploy it against chosen targets.

The developers maintain and evolve the codebase, adapt the architecture in response to defensive controls, and operate the backend infrastructure. Affiliates focus only on distribution and victim acquisition. This is the SaaS operating model applied directly to credential theft and data exfiltration.

Researchers have tracked three distinct MacSync campaigns since November 2025, each showing deliberate and measurable evolution. The November 2025 campaign used a fake ChatGPT Atlas browser as lure content delivered through sponsored Google search results.

By December 2025, operators refined their social engineering. Paid search placements began directing victims to genuine shared ChatGPT conversations that were carefully written to resemble legitimate Mac maintenance guidance. Those conversations then redirected users to convincing GitHub themed installation pages, reinforced with trust building language aimed at experienced users.

This December activity generated more than 18,000 clicks across tracked domains within just three days. Russian language comments embedded in campaign tracking scripts indicate the developers likely operate within a Russian speaking ecosystem.

The February 2026 campaign, which impacted a confirmed government organisation and prompted the advisory underpinning this article, represents the most significant architectural advancement to date.

Why This Version Is Harder to Catch

Earlier MacSync variants relied on native macOS binaries. That approach became increasingly difficult as Apple strengthened Gatekeeper enforcement and notarisation requirements. The developers responded by abandoning binaries altogether.

The February 2026 variant delivers its payload through shell scripts and AppleScript executed entirely in memory. No meaningful artefacts are written to disk, leaving no binary signatures or file hashes for traditional controls to inspect. The infostealer runs within osascript, a trusted Apple signed executable that many endpoint detection policies are designed to allow by default. This behaviour is intentional and central to the campaign’s design.

This architectural shift appears to be a direct response to Apple’s ongoing security improvements. The operators are clearly monitoring defensive advancements and rapidly adapting their tradecraft accordingly.

Following the Infrastructure

The confirmed compromise began when an employee at a US government organisation was redirected from a poisoned search result to a fake CAPTCHA page hosted on filegrowthlabs[.]com. The page instructed the user to paste a base64 encoded command into Terminal.

When decoded, the command silently retrieved a zsh shell script from mansfieldpediatrics[.]com, a domain designed to impersonate a legitimate paediatric medical practice and piped it directly into execution. No file was written to disk, and no download prompt appeared, significantly reducing the likelihood of user suspicion or traditional detection.

The curl request contained a 64-character hexadecimal token embedded within the path. This token uniquely identified the victim, enabled correlation across the command-and-control infrastructure, and prevented execution within sandboxed analysis environments. The malware performed anti-analysis checks before initiating further activity.

From an attribution and detection perspective, a critical indicator strengthens campaign linkage. The Center for Internet Security Cyber Threat Intelligence team previously published a deobfuscated script excerpt from a separate MacSync sample collected during the same campaign period that included a hardcoded API key: 5190ef1733183a0dc63fb623357f56d6.

The same API key was present in the script delivered to the confirmed government victim. While the operators rotate domains to evade blocklists, this persistent authentication value provides a consistent fingerprint across deployments. Its presence within an enterprise environment should be treated as a high confidence indicator of compromise requiring immediate investigation.

What Happens Once You Are Infected

The shell script immediately detaches from the Terminal session and redirects all output to /dev/null, leaving no visible indication of execution. From the user’s perspective, nothing appears to happen.

It then contacts the command and control infrastructure via the /dynamic endpoint to retrieve the second stage payload. This payload is an AppleScript generated specifically for the victim, embedded with the system’s unique identifier and, where available, preconfigured with credentials obtained earlier in the infection chain.

The AppleScript terminates the Terminal window to remove any visible trace of shell activity and creates a randomly named directory under /tmp/sync[7 digit random]/ to serve as a staging location. The next objective is credential acquisition.

If the macOS account does not have a password configured, the malware proceeds without prompting and also extracts Chrome’s stored master password. If a password is present, the malware displays a convincing authentication dialog that mimics macOS System Preferences, including the legitimate LockedIcon.icns icon. The prompt reads Required Application Helper. Please enter password for continue and loop until the correct password is entered, with no option to cancel. Most users comply.

After completing data collection, the malware displays a final decoy message stating that the Mac does not support the application and suggesting a reinstall or download of a compatible version. This message is intended to explain any unusual behaviour and reduce the likelihood of reporting or investigation.

The Haul

The payload runs data collection modules. Here is the list:

• Browsers. All of them. Chrome, Brave, Edge, Opera, Firefox, Arc, Vivaldi, Waterfox. 13 Chromium-based browsers and four Gecko-based browsers. Cookies, saved passwords, autofill data, browsing history, extension storage. All of it.
• Keychain. The encrypted database Apple uses to store your passwords, certificates, and keys is copied wholesale.
• Shell history. .zsh_history and .bash_history are particularly damaging in enterprise environments. Engineers routinely type AWS credentials, database connection strings, API tokens, and SSH commands into their terminal. Every one of those commands is now in an attacker's hands, along with a roadmap to your internal infrastructure.
• Cloud credentials. AWS credentials, Kubernetes configuration files, SSH private keys, and other cloud provider key material pulled directly from your home directory.
• Telegram account. The entire local data directory for Telegram Desktop is copied, enabling account takeover without requiring a password or bypassing two-factor authentication.
• Files. PDFs, Word documents, .pem files, .kdbx password manager databases, .ovpn VPN configs, wallet files, seed files — anything under 10 MB matching those extensions from your Desktop, Documents, and Downloads folders.
• Crypto wallets. Over 80 browser-based wallet extensions and 20+ desktop wallet applications are targeted. But the most dangerous piece is the trojanisation of the Ledger hardware wallet application. The malware replaces the app's core files with versions that capture seed phrases and exfiltrate them to a completely separate endpoint at main.mon2gate[.]net. This backdoor survives malware removal. If Ledger was opened after the infection window, those seed phrases should be treated as gone.
   

Everything gets compressed into /tmp/osalogging.zip and exfiltrated in 10 MB chunks via HTTP PUT requests, with up to eight retry attempts. Then the staging directory is deleted.

Indicators of Compromise and MITRE ATT&CK Techniques Observed

Type	Value
Domain	filegrowthlabs[.]com
Domain	houstongaragedoorinstallers[.]com
Domain	main.mon2gate[.]net
Domain	mansfieldpediatrics[.]com
API Key (campaign fingerprint)	5190ef1733183a0dc63fb623357f56d6
SHA256	c56a1b268f358d9fb4d6264932706b53a7347e2544bb5f26355b0c7fc1d299d8
SHA256	866993e9950250ac2ce8c3b4c6a8bd39285e0fafd93860f235a3b0370f160dd1
Staging path	/tmp/sync[7-digit-random]/
Exfil archive	/tmp/osalogging.zip

The SHA256 hashes represent recovered script content. Because execution is in-memory via pipe, do not expect these to appear as on-disk artefacts.

Domains

Category	Value
Domain	filegrowthlabs[.]com
Domain	houstongaragedoorinstallers[.]com
Domain	main.mon2gate[.]net
Domain	mansfieldpediatrics[.]com

URLs

Category	Value
URL	hxxp://filegrowthlabs[.]com/s3/?c=AA-0uWlVgQUAHYwCAFVTOQASAAAAAACP
URL	hxxps://main.mon2gate[.]net/modules/wallets
URL	hxxp://mansfieldpediatrics[.]com/curl/b2955c54eb0c047463993b379e015e737aabed37b456aeb0957c f84cdb0ed1f0
URL	hxxp://mansfieldpediatrics[.]com/dynamic?txd=b2955c54eb0c047463993b379e015e737aabed37b456aeb0957cf84cdb0ed1f0
URL	hxxp://mansfieldpediatrics[.]com/gate?buildtxd=b2955c54eb0c047463993b379e015e737aabed37b456aeb0957cf84cdb0ed1f0
URL	hxxps://mansfieldpediatrics[.]com/ledger/b2955c54eb0c047463993b379e015e737aabed37b456aeb09 57cf84cdb0ed1f0
URL	hxxps://mansfieldpediatrics[.]com/ledger/live/b2955c54eb0c047463993b379e015e737aabed37b456a eb0957cf84cdb0ed1f0

SHA256 Hashes

Type	Value
SHA256	c56a1b268f358d9fb4d6264932706b53a7347e2544bb5f26355b0c7fc1d299d8
SHA256	866993e9950250ac2ce8c3b4c6a8bd39285e0fafd93860f235a3b0370f160dd1

MITRE ATT&CK Techniques Observed

Tactic	Technique ID	Technique
Resource Development	T1583.001	Acquire Infrastructure: Domains
Resource Development	T1583.006	Acquire Infrastructure: Web Services
Resource Development	T1608.004	Stage Capabilities: Drive-by Target
Resource Development	T1608.006	Stage Capabilities: SEO Poisoning
Initial Access	T1189	Drive-by Compromise
Execution	T1204.001	User Execution: Malicious Link
Execution	T1204.002	User Execution: Malicious File
Execution	T1204.004	User Execution: Malicious Copy and Paste
Execution	T1059.002	Command and Scripting Interpreter: AppleScript
Execution	T1059.004	Command and Scripting Interpreter: Unix Shell
Persistence	T1554	Compromise Host Software Binary
Defence Evasion	T1027	Obfuscated Files or Information
Defence Evasion	T1036.005	Masquerading: Match Legitimate Resource Name or Location
Defence Evasion	T1070.004	Indicator Removal: File Deletion
Defence Evasion	T1140	Deobfuscate or Decode Files or Information
Defence Evasion	T1218	System Binary Proxy Execution
Defence Evasion	T1497.001	Virtualization or Sandbox Evasion: System Checks
Defence Evasion	T1564.001	Hide Artifacts: Hidden Files and Directories
Credential Access	T1056.002	Input Capture: GUI Input Capture
Credential Access	T1552.001	Unsecured Credentials: Credentials in Files
Credential Access	T1555.001	Credentials from Password Stores: Keychain
Credential Access	T1555.003	Credentials from Password Stores: Web Browsers
Discovery	T1082	System Information Discovery
Discovery	T1083	File and Directory Discovery
Discovery	T1217	Browser Information Discovery
Collection	T1005	Data from Local System
Collection	T1074.001	Data Staged: Local Data Staging
Collection	T1119	Automated Collection
Collection	T1539	Steal Web Session Cookie
Collection	T1560.001	Archive Collected Data
Command-and-Control	T1071.001	Application Layer Protocol: Web Protocols
Command-and-Control	T1102	Web Service
Command-and-Control	T1568	Dynamic Resolution
Exfiltration	T1020	Automated Exfiltration
Exfiltration	T1030	Data Transfer Size Limits
Exfiltration	T1041	Exfiltration Over C2 Channel

What You Should Do

Block the domains at DNS. All four should be in your blocklist today. CIS's MDBR service had blocked over 2.5 million DNS requests related to this campaign by 31 March 2026.

Hunt for the API key. Search your proxy logs, endpoint telemetry, and NDR data for 5190ef1733183a0dc63fb623357f56d6. A match is not circumstantial. It is confirmation.

Flag osascript execution chains. Legitimate enterprise use of osascript is narrow. Any invocation spawned from a Terminal session or triggered by a shell pipe is worth investigating.

Restrict Full Disk Access on macOS endpoints. MacSync Stealer's file collection adapts to the permissions it can obtain. Less access means less stolen.

Update macOS. Apple added Terminal paste protection in macOS Tahoe 26.4. A native warning when pasted commands may be harmful. It exists specifically because of attacks like this.

Check your Ledger installation. If any macOS endpoint in your environment may have been infected, verify Ledger application integrity against known-good file hashes before it is used again. Removal of the stealer does not remove the backdoor.

Train your people on ClickFix. No technical control fully compensates for someone who pastes a command into Terminal because a webpage told them to. Awareness programmes in 2026 must cover this technique explicitly.

Where Crystal Eye Fits In

Red Piranha's Crystal Eye will catch this campaign at multiple points in the kill chain and that matters, because no single control stops it alone.

The Network Detection and Response engine identifies the C2 communication patterns: the authentication handshake to the /dynamic endpoint, the HTTP PUT exfiltration in 10 MB segments, and the anomalous osascript process generating outbound traffic where none should exist.

Crystal Eye's integrated threat intelligence feeds carry the four domains and the campaign API key as active indicators, meaning DNS requests to MacSync infrastructure are blocked before the shell script ever downloads.

The Secure Web Gateway component intercepts the SEO-poisoned redirect before the fake CAPTCHA page loads, which is where most endpoint tools arrive too late. And if an endpoint does get through all of that, Crystal Eye's TDIR workflow surfaces the full event chain; the suspicious Terminal activity, the /tmp/sync staging directory creation, the outbound ZIP transfer correlated into a single incident with context, not thirty separate alerts that nobody has time to join up manually.

The Bottom Line

MacSync Stealer sits well above standard commodity stealers in capability and intent. It is a professionally maintained MaaS platform operated by people who pay attention to defensive improvements and adapt to them quickly. The move to in-memory execution was not accidental. It was a response to Apple making binary-based delivery harder, and it worked.

If your organisation runs macOS particularly across engineering, DevOps, finance, or executive functions, this campaign should be on your radar. The exfiltration of shell history files alone can hand an attacker over everything they need to pivot from a single infected laptop into your cloud infrastructure.

Block the domains, hunt the API key, and stop assuming macOS is the safer platform. It is not immune. It is just differently targeted.

Does detecting malicious activity pose a significant challenge for your organisation?

Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.

Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.