MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users

An active infostealer campaign is targeting macOS and Windows users across various sectors. The threat actors are using SEO poisoning to direct victims to fake GitHub repositories impersonating legitimate tools like PagerDuty. The campaign involves over 20 malicious repositories active since September 2025. The attack flow begins with a Google search, leading to a fraudulent GitHub repository, then to a GitHub Pages site with a deceptive command. This command deploys the MacSync stealer in three stages: a loader, a dropper, and the final payload. MacSync aggressively harvests credentials from browsers, cloud services, and cryptocurrency wallets. The campaign's scale includes 39 identified malicious repositories, with 24 still active as of January 2026. Evasion tactics include using 'readme-only' repositories and distributed identities.

Pulse ID: 69772ba9dd9a67872ce009f7
Pulse Link: https://otx.alienvault.com/pulse/69772ba9dd9a67872ce009f7
Pulse Author: AlienVault
Created: 2026-01-26 08:54:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #GitHub #Google #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #SEOPoisoning #Windows #bot #cryptocurrency #AlienVault

MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users

An active infostealer campaign is targeting macOS and Windows users across various sectors. The threat actors are using SEO poisoning to direct victims to fake GitHub repositories impersonating legitimate tools like PagerDuty. The campaign involves over 20 malicious repositories active since September 2025. The attack flow begins with a Google search, leading to a fraudulent GitHub repository, then to a GitHub Pages site with a deceptive command. This command deploys the MacSync stealer in three stages: a loader, a dropper, and the final payload. MacSync aggressively harvests credentials from browsers, cloud services, and cryptocurrency wallets. The campaign's scale includes 39 identified malicious repositories, with 24 still active as of January 2026. Evasion tactics include using 'readme-only' repositories and distributed identities.

Pulse ID: 69772ba9dd9a67872ce009f7
Pulse Link: https://otx.alienvault.com/pulse/69772ba9dd9a67872ce009f7
Pulse Author: AlienVault
Created: 2026-01-26 08:54:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #GitHub #Google #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #SEOPoisoning #Windows #bot #cryptocurrency #AlienVault

ShadowRelay: New Modular Backdoor in the Public Sector

A new modular backdoor called ShadowRelay was discovered on a compromised Exchange server in a government organization. The backdoor allows loading different plugins and demonstrates sophisticated design indicative of well-prepared attackers. It uses packet injection to hide network activity and can spy covertly in protected network segments by communicating through infected machines. The backdoor can inject itself into other processes and uses plugins to load additional functionality, allowing it to evade detection. These capabilities suggest the attackers aim for long-term covert presence and espionage, typical of state-sponsored APT groups. The backdoor was found alongside tools from other known threat actors, complicating attribution.

Pulse ID: 69734904476c08abeb44c4b8
Pulse Link: https://otx.alienvault.com/pulse/69734904476c08abeb44c4b8
Pulse Author: AlienVault
Created: 2026-01-23 10:10:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #ELF #Espionage #Government #InfoSec #Mac #OTX #OpenThreatExchange #RAT #bot #AlienVault

ShadowRelay: New Modular Backdoor in the Public Sector

A new modular backdoor called ShadowRelay was discovered on a compromised Exchange server in a government organization. The backdoor allows loading different plugins and demonstrates sophisticated design indicative of well-prepared attackers. It uses packet injection to hide network activity and can spy covertly in protected network segments by communicating through infected machines. The backdoor can inject itself into other processes and uses plugins to load additional functionality, allowing it to evade detection. These capabilities suggest the attackers aim for long-term covert presence and espionage, typical of state-sponsored APT groups. The backdoor was found alongside tools from other known threat actors, complicating attribution.

Pulse ID: 69734904476c08abeb44c4b8
Pulse Link: https://otx.alienvault.com/pulse/69734904476c08abeb44c4b8
Pulse Author: AlienVault
Created: 2026-01-23 10:10:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #ELF #Espionage #Government #InfoSec #Mac #OTX #OpenThreatExchange #RAT #bot #AlienVault

Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based approach to harvest browser credentials, cryptocurrency wallet data, and sensitive files. A key feature of MacSync is its ability to trojanize popular Electron-based cryptocurrency applications like Ledger and Trezor, enabling long-term phishing and data exfiltration. The malware's infrastructure includes multiple rotating C2 domains and clone sites, indicating an ongoing and evolving campaign. MacSync's focus on cryptocurrency-related data and its stealthy, script-based execution make it particularly dangerous for macOS users in the crypto community.

Pulse ID: 69711eea5249f136051acf6c
Pulse Link: https://otx.alienvault.com/pulse/69711eea5249f136051acf6c
Pulse Author: AlienVault
Created: 2026-01-21 18:46:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Edge #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #Phishing #RAT #Trojan #bot #cryptocurrency #AlienVault

Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based approach to harvest browser credentials, cryptocurrency wallet data, and sensitive files. A key feature of MacSync is its ability to trojanize popular Electron-based cryptocurrency applications like Ledger and Trezor, enabling long-term phishing and data exfiltration. The malware's infrastructure includes multiple rotating C2 domains and clone sites, indicating an ongoing and evolving campaign. MacSync's focus on cryptocurrency-related data and its stealthy, script-based execution make it particularly dangerous for macOS users in the crypto community.

Pulse ID: 69711eea5249f136051acf6c
Pulse Link: https://otx.alienvault.com/pulse/69711eea5249f136051acf6c
Pulse Author: AlienVault
Created: 2026-01-21 18:46:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Edge #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #Phishing #RAT #Trojan #bot #cryptocurrency #AlienVault