New Mac Malware 'MacSync' Stealing Crypto Wallets

Blockchain security firm SlowMist has warned about a highly destructive new macOS infostealer dubbed "MacSync Stealer" (v1.1.2).

The active malware campaign is specifically targeting Apple users to drain cryptocurrency wallets and exfiltrate highly sensitive infrastructure credentials.

The modus operandi

Deceptive social engineering tactics are used by malicious actors to bypass user defenses.

The malware uses fake AppleScript system dialogs that mimic legitimate macOS password prompts to phish for the user's login credentials.

The malware silently exfiltrates their data in the background once the victim takes the bait. MacSync Stealer displays a fake "not supported" error message immediately after the data extraction is complete in order not to raise any suspicion. The trick makes it seem like the application simply failed to launch.

Apart from cryptocurrency users, the malware is targeting browser credentials, macOS system Keychains, critical infrastructure keys, including SSH, AWS, and Kubernetes (K8s) credentials

Other MacOS-related incidents

This is not an isolated incident. Bybit's security team has just uncovered a malware campaign targeting macOS users searching for Claude Code.

Recently, Microsoft Threat Intelligence exposed a highly targeted macOS campaign orchestrated by "Sapphire Sleet," a known North Korean state-sponsored threat actor. Sapphire Sleet uses advanced social engineering to impersonate legitimate macOS software updates and steal cryptocurrency wallets.

One should also mention the "Infinity Stealer" malware, which demonstrated how Windows-centric attack methods are being adapted for macOS. It uses the "ClickFix" technique to present victims with a fake CAPTCHA page. Cybersecurity firm SOC Prime has also identified "MioLab," which is a commercially distributed macOS infostealer explicitly built to target high-value victims, including crypto holders.