Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based approach to harvest browser credentials, cryptocurrency wallet data, and sensitive files. A key feature of MacSync is its ability to trojanize popular Electron-based cryptocurrency applications like Ledger and Trezor, enabling long-term phishing and data exfiltration. The malware's infrastructure includes multiple rotating C2 domains and clone sites, indicating an ongoing and evolving campaign. MacSync's focus on cryptocurrency-related data and its stealthy, script-based execution make it particularly dangerous for macOS users in the crypto community.

Pulse ID: 69711eea5249f136051acf6c
Pulse Link: https://otx.alienvault.com/pulse/69711eea5249f136051acf6c
Pulse Author: AlienVault
Created: 2026-01-21 18:46:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Edge #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #Phishing #RAT #Trojan #bot #cryptocurrency #AlienVault