Executive Summary
In June 2025, security researchers uncovered a new campaign leveraging a variant of the MacSync information stealer, which specifically targets macOS devices. In this incident, attackers distributed malware using a digitally signed and Apple-notarized Swift-based application disguised as a messaging app installer. This approach allowed the threat to bypass Apple Gatekeeper security controls designed to prevent unauthorized software execution. Once executed, the stealer harvested sensitive user data—such as browser credentials, wallets, and system information—and exfiltrated it to remote attacker-controlled servers, posing significant operational and reputational risks to affected organizations and users.
This incident highlights a growing trend wherein adversaries employ legitimate-looking, signed applications to circumvent platform defenses. With an uptick in sophisticated macOS attacks and abuse of code-signing, organizations need to bolster defenses and maintain heightened vigilance for notarized application threats in enterprise environments.
Why This Matters Now
The MacSync incident underscores an urgent need for enterprises to reassess trust in signed and notarized applications, as attackers increasingly use these mechanisms to evade native security features. With more business workflows shifting to macOS and threat actors rapidly iterating their techniques, organizations risk widespread compromise and data loss if code-signing is relied upon as a primary line of defense.
Attack Path Analysis
The attack began when a user downloaded and installed a notarized, signed Swift application masquerading as a messaging app, bypassing macOS Gatekeeper controls. Upon execution, the malicious installer ran with user privilege and possibly attempted to escalate access to harvest sensitive data. The malware likely sought to discover and move laterally toward additional resources or accounts, though macOS security boundaries limited such actions. The stealer then established command and control by initiating outbound connections to attacker infrastructure. Data exfiltration occurred as information was sent over the network, potentially in unencrypted form. The primary impact was the compromise of sensitive user and organizational data, posing significant privacy and regulatory risks.
Kill Chain Progression
Initial Compromise
Description
User installs a notarized, signed malicious app disguised as a messaging installer, bypassing Apple Gatekeeper and triggering malware execution.
Related CVEs
CVE-2021-30657
CVSS 5.5A logic issue in macOS allowed malicious applications to bypass Gatekeeper checks, leading to the execution of untrusted code.
Affected Products:
Apple macOS – < 11.3
Exploit Status:
exploited in the wildCVE-2022-32910
CVSS 5.5A vulnerability in macOS Archive Utility allowed attackers to bypass Gatekeeper checks by crafting malicious archives.
Affected Products:
Apple macOS – < 12.5
Exploit Status:
exploited in the wildCVE-2023-32352
CVSS 5.5A logic issue in macOS allowed applications to bypass Gatekeeper checks, potentially leading to the execution of untrusted code.
Affected Products:
Apple macOS – < 13.4
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
User Execution: Malicious File
Subvert Trust Controls: Code Signing
Command and Scripting Interpreter: AppleScript
Deobfuscate/Decode Files or Information
Data from Local System
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication for All Non-Console Access
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Inventory and Trust Assessment of Devices
Control ID: Device Pillar: Asset Management
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
MacSync information stealer bypassing Apple Gatekeeper through signed applications threatens software development environments requiring enhanced egress security and zero trust segmentation controls.
Financial Services
Information stealer targeting macOS systems poses critical data exfiltration risks to financial institutions, demanding strengthened encrypted traffic controls and anomaly detection capabilities.
Health Care / Life Sciences
Healthcare organizations using macOS face HIPAA compliance violations from credential theft, requiring multicloud visibility controls and threat detection systems for patient data protection.
Computer/Network Security
Cybersecurity firms must address sophisticated signed malware bypassing Gatekeeper, implementing inline IPS inspection and cloud native security fabric for comprehensive threat prevention.
Sources
- New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeperhttps://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.htmlVerified
- Updated macOS Malware Uses a Code-Signed Swift App to Bypass Built-In macOS Gatekeeper Protectionshttps://www.mactrast.com/2025/12/updated-macos-gatekeeper-malware-uses-a-code-signed-swift-app-to-bypass-built-in-macos-gatekeeper-protections/Verified
- Malware uses notarization to bypass macOS Gatekeeperhttps://appleinsider.com/articles/25/12/23/malware-bypassed-macos-gatekeeper-by-abusing-apples-notarization-proccessVerified
- Jamf Threat Labs identifies macOS Archive Utility vulnerability allowing for Gatekeeper bypass (CVE-2022-32910)https://www.jamf.com/blog/jamf-threat-labs-macos-archive-utility-vulnerability/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, advanced egress control, and real-time traffic inspection would have curtailed malicious app reach, blocked command-and-control, detected anomalies, and enforced encryption to protect data in transit—even when endpoint controls are bypassed. Distributed policy enforcement in the CNSF fabric helps limit the damage and exposure from user-initiated compromise.
Control: Zero Trust Segmentation
Mitigation: Reduces blast radius by restricting new app's network access to only authorized destinations.
Control: Zero Trust Segmentation
Mitigation: Blocks unauthorized lateral access from compromised workloads or users.
Control: East-West Traffic Security
Mitigation: Detects and blocks attempts to traverse internal network segments.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents malware from reaching unknown or unapproved external destinations.
Control: Encrypted Traffic (HPE)
Mitigation: Ensures all data in transit is encrypted, reducing data theft risk and enabling egress inspection.
Rapid detection and alerting minimizes impact and supports immediate incident response.
Impact at a Glance
Affected Business Functions
- User Authentication
- Data Security
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of user credentials, including iCloud Keychain data, browser-stored passwords, and cryptocurrency wallet information.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to ensure malicious apps cannot freely access sensitive workloads or move laterally in the environment.
- • Implement robust egress filtering and outbound policy enforcement to block malware C2 and unauthorized data exfiltration destinations.
- • Mandate encryption for all data in transit, both between workloads and to the internet, to reduce risk from unencrypted data theft.
- • Continuously monitor east-west and outbound flows with anomaly detection for rapid threat identification and response.
- • Employ distributed, cloud-native network controls to limit blast radius and isolate compromised endpoints in real-time.
