Apple-notarized macOS malware rising as attackers exploit notarization gap

TL;DR

Researchers at Jamf found a new variant of the MacSync Stealer that was distributed inside an app both signed with a valid Developer ID and notarized by Apple, allowing it to bypass Gatekeeper. Attackers are exploiting the fact that notarization checks what’s submitted, not what an app may fetch or do at runtime.

What happened

Jamf Threat Labs recently published findings on a new MacSync Stealer variant that was packaged in an application bearing a valid Developer ID signature and Apple notarization. Because the app met Apple’s code-signing and notarization requirements, Gatekeeper did not block it from launching. According to reporting, threat actors are obtaining legitimate developer certificates—either by compromise or purchase—and shipping lightweight initial binaries that appear benign during static review. Those binaries later contact remote infrastructure to download additional malicious payloads that were not present at the time of notarization, meaning Apple’s automated scans had nothing malicious to analyze. The article notes earlier instances of Apple-notarized malware dating back to at least 2020 and a similar case reported in July, and emphasizes that code signing and notarization are designed to enable attribution and revocation rather than guarantee permanence of benign behavior.

Why it matters

• Gatekeeper’s reliance on valid signatures and notarization can be bypassed when attackers use real developer certificates.
• Notarization inspects a submission at one point in time and can miss malicious components that are fetched only at runtime.
• Compromised or illegally traded Developer ID certificates lower the barrier for attackers to appear legitimate.
• The model is reactive: abused certificates can be revoked after the fact, but that does not prevent initial installations.

Key facts

• Jamf Threat Labs published research describing a MacSync Stealer variant distributed in a signed and notarized app.
• The malicious app had a valid Developer ID signature and Apple notarization, so Gatekeeper allowed it to run.
• Attackers are using certificates that may be compromised or purchased through underground channels, according to the reporting.
• Initial binaries were described as small Swift-based executables that appear benign under static analysis.
• Malicious behavior was introduced later when the app fetched additional payloads from remote infrastructure.
• Apple’s notarization process evaluates what’s present at submission time, not what an app may retrieve after launch.
• The first known instance of Apple-notarized malware goes back to at least 2020, per the article.
• A similar notarized malicious app was reported earlier in July of the same year.
• Code signing and notarization are intended to enable tracing and revocation, not to provide an absolute guarantee of benign software.

What to watch next

• The author plans to continue tracking this attack vector into 2026.
• Whether Apple changes notarization processes or adds runtime analysis to catch post-install payloads is not confirmed in the source.
• Whether the rate of notarized malware increases or more developer certificates tied to abuse are discovered is not confirmed in the source.

Quick glossary

• Gatekeeper: macOS security feature that checks app signatures and notarization status before allowing software from outside the App Store to run.
• Code signing / Developer ID: Cryptographic signature tied to a registered developer identity that indicates which developer produced an app and allows Apple to revoke trust if abused.
• Notarization: An automated Apple process that scans submitted macOS software for known malicious content and issues a notarization ticket if it passes checks.
• Payload: Additional code or data an application downloads or executes after initial installation, which can include malicious components.

Reader FAQ

How did this malware bypass macOS protections?
The app was signed with a valid Developer ID and notarized by Apple, so Gatekeeper had no immediate reason to block it.

Is this a brand-new problem for macOS?
Not entirely — the report notes similar notarized malware as far back as 2020 and another case earlier in July.

Can Apple’s notarization stop these attacks?
Notarization checks what’s present at submission time; it wasn’t designed to guarantee an app remains benign after launch.

How should users protect themselves?
Download software from developers you trust or from the Mac App Store; further defensive guidance is not confirmed in the source.

Just unwrap new AirPods Pro? Here are the must-try features Chance Miller Dec 26 2025 MALWARE SECURITY BITE Security Bite: A note on the growing problem of Apple-notarized malware on…

Sources

• Security Bite: A note on the growing problem of Apple-notarized malware on macOS
• Malware uses notarization to bypass macOS Gatekeeper
• Don't Trust the Double-Click: This Mac Malware Was ' …
• New MacSync Malware Exploits Apple Notarization to …

Related posts

• 2025 saw cybercrime turn physically violent: deaths, kidnappings and amputations
• Flight-Tested and Reviewed: The 10 Best Drones of 2025 for Every Budget
• Growing Up in ‘404 Not Found’: Life in China’s Secret Nuclear City