The bulk of the void that AMOS fading left into the MacOS MaaS infostealers is already being filled by other solutions such as MacSync (interviewed by @osint_barbie and I recently: https://t.co/cKrFyqBQlZ), who allegedly want to be "at AMOS level by the end of the year". In

Looks like a potential new MacSync Stealer variant. From: hxxps[:]//applegrowe. com/curl/7642f7bcd50f72ae34bfc24a29c8f294d257918d5bf3acdad800fc10a16e686d 🧵Let's look into it. :)

Looks like more MacSync: 4d751dd363298589cb436d78cd302f9d794ae1e3670722a464884be908671a9c - Zoom lookalike. thanks @malwrhunterteam :) Written in Objective-C, which is beautiful and a great start to a Monday. Look a how pretty that binja Pseudo-ObjC is.♥️ Brackets! 🧵

5/ The stealer module 💰: nothing revolutionary - follows the same playbook as AMOS, MacSync, and other macOS stealers we've tracked. We compared Phexia with Mac.c sample (393acc8ef94ab8ba0abf7a769e451d5434d4acdbda0b60966bfac4b40e4d6875) and found ~85% code similarity. Both

MacSync and MACc Stealer multiple stealer on 94.141.160.60 83ad85a90cf242de2eda99e67dc5b026 #MacSync Packages.scpt ae3ffebe3072bd558851bc748079e62c C2 elbrone[.]com NexoraLauncher.dmg #MACc #Stealer 25be0d9c91ae366cccd47b5dc10705b0 ref. https://t.co/Bo2RNVsdB4 Microsoft

HAHA! ANG KULET NG WALLPAPER DTU SA MACSYNC http://t.co/uEVB3BxEBx

I won't go into the osascript itself because we've seen so many already, so we will just focus on this downloader. Lastly, there's references to "/gate" and "osalogging\.zip" seen in other MacSync samples. (again with helpful NSLogs)

1/ Sometimes the best hunts start with a simple share. A few strings from an updated #MacSync #macOS malware, dropped casually by @g0njxa, led us to the FUD file, which appears to be a dropper 👇

#threatreport #MediumCompleteness Mac.c stealer evolves into MacSync: Now with a backdoor | 13-09-2025 Source: https://t.co/WEyHrPk0Bu Key details below ↓ 🧑‍💻Actors/Campaigns: Mentalpositive 💀Threats: Macc_stealer, Amos_stealer, Clickfix_technique, 🏭Industry: Healthcare

Cool share! As ya'll mentioned, there's a lot of these FUD MacSync samples some being shell scripts and some machO binaries. Pivoting on code insights shows many of these :(

Related to MacSync: 0d5c59fb86a094f4b2d5c170e9fa4a8c401de6267b6d6cd12af45003690aba0b, already being detected on VT. Uses simpler XOR with just a 1 byte key 0x93. (Maybe slightly older version??) Same user-agent as the previous sample. 🧵

Was wondering about how codeinsight worked. :) Use of binja HLIL for this effort is cool. One of the hashes that was found by VT looks like a MacSync sample recently discussed. Using codeinights to query you can match on related samples some still undetected (although known).

New RE Video: https://t.co/hSr9q85bCG Given the recent MacSync macOS stealer coverage, I felt it would be fun to record a video reverse engineering a related sample. The focus is arm64 (because it's pretty) and the XOR loop for encoded strings, with some curl API discussion.

MacSync and MACc Stealer C2 delgone[.]space EchoesOfValor.dmg 13db8aacf1548b9f5aeb8298a0cea2e0 zz 4a77cd4a5ca219ffb379b820c5011f70 NexoraLauncher[.app[.zip c1594b05ba39f62025f638370c8edbed NexoraLauncher.dmg 25be0d9c91ae366cccd47b5dc10705b0 #IOC

Now to the osascript. Nothing too new here from what we have seen. Here I highlighted "MacSync", which was covered by @moonlock_lab last month. We may be on version "1.0.7" according to the osascript content. Both Ledger Live and Trezor apps are also being hosted at this domain.

Test http://yfrog.com/hs2zgypj

🔄 Sync files across your Macs effortlessly! Check out tools like Resilio Sync for seamless data consistency. #MacSync #FileSync

Some amateur analysis of #MacSync 👀 https://t.co/98Ee3GFpjr

إعادة تسمية Mac.c Stealer إلى MacSync وتوسع قدراته لتشمل بوابة رجعية (Backdoor) التفاصيل.. https://t.co/I95NtiTfZl #مركز_الأمن_السيبراني_للابحاث_والدراسات