Introduction
SlowMist, a cybersecurity company specializing in blockchain protection, has issued a severe alert regarding a malicious new software identified as “MacSync Stealer” (v1.1.2) specifically designed for macOS systems. This infostealer targets Apple users with the intention of siphoning off cryptocurrency funds and accessing sensitive structural credentials.
Malware Tactics
The cybercriminals behind this malware employ sophisticated social engineering strategies aimed at tricking users and circumventing their security measures. One notable tactic involves the use of counterfeit AppleScript dialog boxes that closely resemble authentic macOS password request prompts, enabling them to harvest usernames and passwords without arousing suspicion.
Once a victim is ensnared and submits their credentials, the malware discreetly gathers and transmits their data in the background. To further deceive users, it presents a misleading “not supported” error message immediately after the extraction is concluded, creating the illusion that the application has simply malfunctioned.
Targeted Information
In addition to targeting cryptocurrency wallets, MacSync Stealer seeks to compromise browser login information, macOS system Keychains, and crucial infrastructure keys, including those related to SSH, AWS, and Kubernetes.
Broader Threat Landscape
This emerging threat is part of a broader trend; for instance, the security team at Bybit recently discovered another deceptive malware campaign aimed at macOS users seeking Claude Code. Moreover, Microsoft Threat Intelligence has linked a separate, highly sophisticated macOS operation to “Sapphire Sleet,” a state-sponsored hacking group from North Korea known for its elaborate ruses that impersonate legitimate macOS software updates to pilfer cryptocurrency assets.
Further highlighting this growing issue, the “Infinity Stealer” has shown how malware tactics originally tailored for Windows systems are being adapted to macOS environments. It utilizes a “ClickFix” method to lead victims to a phony CAPTCHA page. Additionally, the cybersecurity firm SOC Prime has reported on another macOS infostealer called “MioLab,” which is commercially available and specifically engineered to target high-profile individuals, particularly within the cryptocurrency community.
