MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware

Description

MacSync Stealer malware has evolved from using drag-to-terminal and ClickFix techniques to a more sophisticated approach. The new variant is delivered as a code-signed and notarized Swift application within a disk image, eliminating the need for direct terminal interaction. The malware retrieves an encoded script from a remote server and executes it via a Swift-built helper executable. The installer is signed with Developer Team ID GNJLS3UYZ4 and contains decoy files to inflate its size. The malware performs various checks, including internet connectivity and execution timing, before downloading and executing the second-stage payload. This evolution reflects a broader trend in macOS malware, where attackers attempt to bypass security measures by using signed and notarized executables.