highPhishing

MacSync / BarkBlitz: A Five-Month macOS Stealer Campaign Targeting Crypto Users

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentTimeline

phishingsocial-engineeringc2supply-chainmalware-analysisaptspearphishing

TL;DR: MacSync Stealer (also tracked as BarkBlitz) is an actively operated macOS infostealer campaign that has been running since at least November 2025, targeting cryptocurrency users through ClickFix social engineering with fake Zoom, Trezor Suite, and Ledger application lures. Starting from a single MD5 hash, Breakglass Intelligence mapped three live C2 domains, extracted the complete 640-line AppleScript stealer payload from a live C2 server, identified a stolen Apple Developer certificate used to sign malware binaries, and recovered Russian-language artifacts in the codebase. The stealer targets 13 Chromium browsers, 4 Firefox-based browsers, 22 desktop cryptocurrency wallets, 80+ browser crypto extensions, macOS Keychain, SSH keys, AWS/Kubernetes credentials, and actively backdoors Ledger wallet applications by replacing their app.asar files. Data is exfiltrated via chunked PUT uploads with API key authentication. The campaign has produced at least 12 samples across 5 months, indicating sustained development and active operation.

Background

macOS has historically been considered a lower-risk platform for malware, but the reality has shifted dramatically. The concentration of cryptocurrency users on macOS, combined with Apple's developer signing ecosystem providing a veneer of trust, has made the platform an increasingly attractive target for financially motivated threat actors.

MacSync/BarkBlitz represents the current state of the art for macOS infostealers: it uses signed binaries to bypass Gatekeeper, AppleScript for system-level access, ClickFix social engineering for delivery, and a multi-domain Cloudflare-proxied infrastructure for resilience. Most critically, it actively backdoors hardware wallet applications -- a supply-chain attack that can result in catastrophic financial loss for victims.

This investigation began with a single sample hash and expanded to map the complete infrastructure, extract live payloads, and document the full scope of the campaign across five months of activity.

Key Findings

Three C2 domains were identified: bluestonerepair[.]com (LIVE, primary), gatemaden[.]space (DEAD, taken down), and audio-drivers-zoom[.]us (LIVE, operational C2). Each uses a different Cloudflare account, indicating deliberate operational compartmentalization.
The complete 640-line AppleScript stealer payload was extracted from a live C2 server, providing full visibility into the campaign's data theft capabilities.
A stolen Apple Developer ID certificate issued to OKAN ATAKOL (Team ID GNJLS3UYZ4) was used to sign the runtimectl variant, enabling Gatekeeper bypass on victim machines.
Russian-language indicators were found in the codebase: the build tag "vorona" (Russian for "crow") and a Cyrillic OK button in the error dialog.
The stealer actively backdoors Ledger hardware wallet applications by downloading malicious app.asar files from the C2 and replacing the legitimate application resources, then re-signing with an ad-hoc certificate.
A leaked Gmail address (j.herbabzed.r@gmail.com) in the WHOIS record for audio-drivers-zoom[.]us provides an additional attribution lead.
A single API key (5190ef1733183a0dc63fb623357f56d6) is shared across all observed payloads, creating a single point of failure and a detection pivot.
A fourth IP address (68.183.52.163, DigitalOcean NYC3) was found hardcoded in the stealer payload, possibly the operator's management VPS.

Attack Chain

The campaign uses ClickFix-style social engineering with fake application downloads. Observed lure themes include:

Zoom: Fake video conferencing application installer
Trezor Suite: Fake hardware wallet management software
Ledger: Fake hardware wallet interface
BarkBlitz: Custom branded application (possibly dog training/social themed)
oathBound: Another custom branded variant

The lures are distributed as DMG disk images or ZIP archives containing signed Mach-O universal binaries. The use of Apple Developer ID signing (stolen certificate) means macOS Gatekeeper may not block execution, significantly increasing the success rate.

Stage 2: Dropper Execution

When the victim opens the application, the Mach-O binary:

Contacts the C2 at bluestonerepair[.]com/curl/<sha256_hash> to download a per-victim dropper script
The dropper is a zsh script that decodes its payload via base64 -D | gunzip | eval
The decoded script fetches the main AppleScript payload from /dynamic?txd= with API key authentication

The runtimectl Swift variant adds persistence by installing to /Library/Application Support/UserSyncWorker with ETag-based update checking (staging through /tmp/runner), ensuring the stealer stays current with the latest payload version.

Stage 3: Credential Harvesting

The 640-line AppleScript payload begins by presenting a fake System Preferences password dialog using Apple's own LockedIcon.icns for visual authenticity. The entered password is validated in real-time using dscl . authonly <username> <password>, and the dialog loops until valid credentials are entered (with a 150-second timeout per attempt). This ensures the operator always gets a working password.

Simultaneously, the Chrome master password is extracted via security find-generic-password -ga "Chrome".

Stage 4: Data Collection

With valid credentials in hand, the stealer systematically harvests data from multiple categories:

Browser Data (17 browsers):

Chromium family (13): Chrome, Brave, Edge, Vivaldi, Opera, Opera GX, Chrome Beta/Canary/Dev, Chromium, Arc, Coccoc, Yandex
Gecko family (4): Firefox, Zen, LibreWolf, Waterfox
Stolen files include Cookies, Login Data, Web Data, Network/Cookies, cert9.db, key4.db, logins.json, formhistory.sqlite, and places.sqlite

Cryptocurrency Wallet Extensions (80+): Targeted by Chrome extension ID, including MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn), Coinbase Wallet, Phantom, Trust Wallet, Solflare, and dozens of DeFi/crypto extensions. Both Local Extension Settings and IndexedDB databases are stolen.

Desktop Cryptocurrency Wallets (22): Exodus, Electrum, Atomic Wallet, Guarda, Coinomi, Sparrow, Wasabi, Bitcoin Core, Armory, Electron Cash, Monero, Litecoin Core, Dash Core, Dogecoin Core, Electrum-LTC, BlueWallet, Zengo, Trust Wallet, Ledger Live, Ledger Wallet, Trezor Suite, Binance, and TON Keeper.

System Credentials and Keys:

macOS Keychain (*.keychain-db)
SSH keys (~/.ssh/)
AWS credentials (~/.aws/)
Kubernetes config (~/.kube/)

Application Data:

Telegram Desktop session data
Apple Notes (NoteStore.sqlite)
Safari cookies and history
Shell history (.zsh_history, .bash_history)
Git configuration (.gitconfig)
.zshrc

Sensitive Files: A file grabber scans Desktop, Documents, and Downloads for files with extensions: pdf, docx, doc, wallet, key, keys, db, txt, seed, rtf, kdbx, pem, ovpn. The total collection is capped at 10 MB. This specifically targets cryptocurrency seed phrases, KeePass databases (.kdbx), VPN configurations, and certificates.

System Profiling: Process list (ps ax, lsappinfo), hardware/software information (system_profiler SPSoftwareDataType SPHardwareDataType), and display information for victim fingerprinting.

Stage 5: Ledger Wallet Backdooring

Perhaps the most destructive capability: the stealer downloads malicious app.asar files from dedicated C2 endpoints:

/ledger/<hash> -- Malicious Ledger Wallet app.asar
/ledger/live/<hash> -- Malicious Ledger Live app.asar

These files replace the legitimate Electron application resources in the installed Ledger applications. The modified Info.plist is also replaced, and the application is re-signed with an ad-hoc certificate (codesign -f -d -s -).

The purpose of this backdoor is seed phrase theft and transaction interception on subsequent launches of the wallet application. This means even if the initial data theft misses the seed phrase, the operator can capture it the next time the victim opens their hardware wallet application.

Stage 6: Exfiltration and Cleanup

All collected data is staged in /tmp/sync<7_random_digits>/ and compressed using ditto -c -k --sequesterRsrc to /tmp/osalogging.zip.

Exfiltration uses a chunked PUT upload to the /gate endpoint with API key authentication:

Chunks are 10 MB maximum
Up to 8 retries per chunk
Query parameters include buildtxd, upload_id, chunk_index, and total_chunks

After successful upload, the staging directory and ZIP file are removed:

rm -rf /tmp/sync*
rm -f /tmp/osalogging.zip

The victim is shown a benign error message: "not supported on your Mac" -- providing a plausible reason for the application not working and discouraging further investigation.

Infrastructure Analysis

C2 Domain Architecture

The campaign uses three domains across three separate Cloudflare accounts, indicating deliberate compartmentalization:

Domain	Cloudflare NS Pair	Registrar	Status
bluestonerepair[.]com	dell / piers	Unstoppable Domains	LIVE
gatemaden[.]space	alberto / rafe	PDR Ltd	DEAD (serverHold)
audio-drivers-zoom[.]us	kyle / kimora	OwnRegistrar Inc	LIVE

The use of different Cloudflare accounts for each domain means that if one account is suspended, the others remain operational. This is a more sophisticated operational setup than many campaigns that funnel all domains through a single account.

Domain Registration Analysis

bluestonerepair[.]com:

Registered via Unstoppable Domains (a blockchain domain registrar) on July 18, 2025
Registrant: Michael Campagnolo / DomainHive LTD (BVI -- British Virgin Islands)
Certificate history shows legitimate business use from 2023-2025 with Google Trust Services and Let's Encrypt certificates, followed by transfer to the current malicious operator in July 2025
Current certificates include a new wildcard (*.bluestonerepair.com) from Let's Encrypt E7 and Sectigo

gatemaden[.]space:

Registered via PDR Ltd (PublicDomainRegistry) on November 17, 2025
WHOIS redacted
Now in serverHold status (taken down)

audio-drivers-zoom[.]us:

Registered via OwnRegistrar Inc on January 28, 2026
Registrant: John Ramirez Hernandez / Hosting4You LLC (Anchorage, AK)
OPSEC failure: Gmail address j.herbabzed.r@gmail.com exposed in WHOIS

The BVI shell company and Alaskan LLC registrant identities are almost certainly fabricated, but the Gmail address provides a real attribution lead.

C2 API Endpoints

The C2 server exposes a comprehensive API for managing the infection lifecycle:

Endpoint	Method	Purpose
/curl	GET	Generic dropper download (uses audio-drivers-zoom.us)
/curl/	GET	Per-victim dropper with embedded tracking token
/update	GET	Daily payload update (.daily extension)
/dynamic?txd=	GET	Main AppleScript stealer payload (API key required)
/dynamic?txd=&pwd=	GET	Password-aware stealer variant
/gate (PUT, chunked)	PUT	V2 chunked data exfiltration
/gate (POST, multipart)	POST	V1 legacy data exfiltration
/ledger/	GET	Malicious Ledger Wallet app.asar
/ledger/live/	GET	Malicious Ledger Live app.asar

The presence of both V1 (multipart POST) and V2 (chunked PUT) exfiltration protocols indicates the operation has been through at least one protocol revision.

The /dynamic endpoint with a pwd parameter is particularly interesting -- it returns a stealer variant that already has the victim's password, suggesting the dropper captures the password first and then requests a customized payload.

Fourth IP: DigitalOcean NYC3

The IP address 68.183.52.163 was found hardcoded in the stealer payload. This DigitalOcean VPS in the NYC3 datacenter has ports 443 and 8080 open. Unlike the Cloudflare-proxied C2 domains, this IP is directly exposed, making it a potentially more attributable piece of infrastructure -- possibly the operator's management or staging server.

Malware Analysis

Sample Inventory

The campaign has produced at least 12 samples across 5 months, spanning multiple lure themes and binary formats:

Date	Lure	Format	Notable Features
2025-11-17	Zoom	Mach-O x86_64	First known sample
2025-12-11	Trezor Suite	Mach-O x86_64	Crypto lure variant
2025-12-21	.trezor/.ledger	ZIP (ClickFix)	ClickFix delivery variants
2025-12-22	runtimectl	Mach-O fat (Swift)	Code-signed, persistence
2026-01-03	oathBound	DMG	New lure theme
2026-03-10	BarkBlitz	Mach-O fat	Latest variant, dual arch

BarkBlitz Binary Analysis

The primary sample (SHA256: 4a6250d7dab7d82255cc526f6b857af8f53378c186700dd8682408180b92cb6a) is a Mach-O Universal Binary:

Format: Fat binary (magic 0xCAFEBABE) with x86_64 (32 KB at offset 0x4000) and arm64 (69 KB at offset 0xC000) slices
Bundle ID: com.utils.BarkBlitz
Dependencies: Foundation.framework, libSystem.B.dylib, libobjc.A.dylib, libc++.1.dylib
Key Behavior: The binary uses _system() for shell command execution, _fork() + _setsid() for daemonization, and _unlink()/_remove() for self-cleanup
String Obfuscation: C2 configuration is encrypted in the __TEXT.__const section (1015 bytes) using a custom cipher with per-position key derivation -- not simple XOR

runtimectl (Swift Variant) Analysis

The Swift variant (SHA256: 06c74829d8eee3c47e17d01c41361d314f12277d899cc9dfa789fe767c03693e) represents a more sophisticated implementation:

Code Signing: Signed with Developer ID Application: OKAN ATAKOL (GNJLS3UYZ4), issued November 14, 2025
Gatekeeper Check: The binary calls /usr/bin/codesign -dv --verbose=4 and /usr/sbin/spctl --assess to verify its own signing status
C2: Plaintext URL https://gatemaden[.]space/curl/<sha256_hash> (the lack of encryption here is an OPSEC failure)
Download: Uses /usr/bin/curl with TLS 1.2-1.3, 10-second connect timeout, 40-second max time, 2 retries
Persistence: Installs to /Library/Application Support/UserSyncWorker with ETag-based update checking

The use of a stolen (or purchased) Apple Developer certificate is significant. It means the binary will not trigger Gatekeeper warnings on first launch, dramatically increasing the infection success rate. The certificate was issued to OKAN ATAKOL on November 14, 2025 -- just three days before the first known MacSync sample appeared.

Threat Actor Profile

Attribution Assessment

Confidence: MEDIUM-HIGH for Russian-speaking operator

The evidence for a Russian-speaking operator is multi-layered:

Build tag "vorona": Written to the victim info file during collection. "Vorona" is the Russian word for "crow" (ворона). This is not a word that would be chosen by a non-Russian speaker.
Cyrillic OK button: The error dialog displayed after exfiltration uses Cyrillic characters "OK" rather than ASCII "OK". This is a subtle but definitive indicator -- it means the development environment was configured for Russian language input, and the developer was typing in Cyrillic when they wrote the dialog string.
Infrastructure patterns: BVI shell companies, multiple registrars, Cloudflare compartmentalization, and Namecheap/privacy proxy combinations are patterns strongly associated with Russian-speaking cybercrime operations.

OPSEC Failures

Despite moderate-to-high technical sophistication, the operator made several attributable mistakes:

Gmail in WHOIS: j.herbabzed.r@gmail.com exposed in the audio-drivers-zoom[.]us registration
Build tag in payload: "vorona" written to every victim's collected data
Version string: "1.1.2_release (x64_86 & ARM)" reveals development versioning
Hardcoded IP: 68.183.52.163 in the payload may be an operator-controlled VPS
Shared API key: 5190ef1733183a0dc63fb623357f56d6 used across all payloads
Stolen developer certificate: OKAN ATAKOL (GNJLS3UYZ4) creates a certificate trail
Plaintext C2 in Swift binary: The runtimectl sample has the C2 URL unencrypted
Multiple registrant identities: "Michael Campagnolo" and "John Ramirez Hernandez" are both clearly fabricated

Campaign Timeline

Date	Event
2025-07-18	bluestonerepair.com registered/transferred
2025-11-14	Apple Developer certificate issued to OKAN ATAKOL
2025-11-17	First MacSync sample (Zoom lure) and gatemaden.space registered
2025-12-11	Trezor Suite lure variant
2025-12-21	ClickFix variants with .trezor and .ledger extensions
2025-12-22	runtimectl Swift variant with code signing and persistence
2026-01-03	oathBound DMG variant
2026-01-28	audio-drivers-zoom.us registered
2026-03-07	bluestonerepair.com infrastructure refreshed
2026-03-10	BarkBlitz samples appear; investigation confirms all three C2 domains

The five-month timeline with consistent technical evolution (from simple Mach-O to code-signed Swift with persistence) demonstrates a committed operator investing in the campaign.

Detection Guidance

YARA Rule Summary

Detection rules should target:

Mach-O binary patterns: Bundle IDs (com.utils.BarkBlitz, co.runtime.helper.b3f9a2), the encrypted config block in __TEXT.__const, and the "vorona" build tag
AppleScript payload patterns: The fake System Preferences dialog string, dscl authonly command, specific browser path patterns, and the /tmp/osalogging.zip staging path
Ledger backdoor indicators: Modified app.asar files in Ledger Wallet.app and Ledger Live.app, ad-hoc code signatures

Suricata Rule Summary

Network detection should focus on:

C2 domain resolution: DNS lookups for bluestonerepair[.]com, gatemaden[.]space, and audio-drivers-zoom[.]us
API key in headers: The header api-key: 5190ef1733183a0dc63fb623357f56d6 in HTTP requests
Chunked upload pattern: PUT requests to /gate with query parameters buildtxd, upload_id, chunk_index, total_chunks
User-Agent: The specific Chrome 91 User-Agent string used by the dropper

Host-Based Indicators

/tmp/osalogging.zip (exfiltration staging)
/tmp/sync<7_digits>/ directories (collection)
/tmp/runner, /tmp/runner.headers, /tmp/runner.code (dropper staging)
/Library/Application Support/UserSyncWorker (persistence)
/Library/Logs/UserSyncWorker.log (log file)
Modified app.asar in Ledger Wallet.app or Ledger Live.app Resources directory

IOCs (Defanged)

Domains

bluestonerepair[.]com      -- Primary C2 (LIVE)
gatemaden[.]space           -- Former C2 (DEAD)
audio-drivers-zoom[.]us     -- Operational C2 (LIVE)

IP Addresses

172[.]67[.]196[.]52   -- Cloudflare (bluestonerepair.com)
104[.]21[.]52[.]63    -- Cloudflare (bluestonerepair.com)
172[.]67[.]222[.]14   -- Cloudflare (audio-drivers-zoom.us)
104[.]21[.]25[.]28    -- Cloudflare (audio-drivers-zoom.us)
68[.]183[.]52[.]163   -- DigitalOcean NYC3 (hardcoded in payload)

URLs

hxxps://bluestonerepair[.]com/curl/<sha256>
hxxps://bluestonerepair[.]com/update
hxxp://bluestonerepair[.]com/dynamic?txd=<token>
hxxp://bluestonerepair[.]com/gate
hxxps://bluestonerepair[.]com/ledger/<hash>
hxxps://bluestonerepair[.]com/ledger/live/<hash>
hxxps://gatemaden[.]space/curl/<sha256>
hxxp://audio-drivers-zoom[.]us/dynamic?txd=<token>
hxxp://audio-drivers-zoom[.]us/gate

API and Authentication

API Key:        5190ef1733183a0dc63fb623357f56d6
Build Tokens:   985683bd660c0c47c6be513a2d1f0a554d52d241714bb17fb18ab0d0f8cc2dc6
                9a150c0d7b11d483855a2e46fd1f892f06d2198c96dd98a9e2cabec168cc4214

File Hashes

# BarkBlitz.dmg (primary)
SHA256: 4a6250d7dab7d82255cc526f6b857af8f53378c186700dd8682408180b92cb6a
MD5:    27fe183f8c4824270a9fc03317f4134b

# runtimectl (Swift, code-signed)
SHA256: 06c74829d8eee3c47e17d01c41361d314f12277d899cc9dfa789fe767c03693e
MD5:    aa3804744ef482e6c509a77511f98667

# Trezor Suite lure
SHA256: 3dafc00c3c65b1abe74a9933c3ff94455fee4e982e16f4378748997664facb6c
MD5:    c1cdb1625b98d2bf531971ea8bd2637f

# Zoom lure (first known sample)
SHA256: 4d751dd363298589cb436d78cd302f9d794ae1e3670722a464884be908671a9c
MD5:    f9e73c254d7d66e8a99daeb4462e8827

Behavioral Indicators

# File Paths
/tmp/osalogging.zip
/tmp/sync<7_digits>/
/tmp/runner
/Library/Application Support/UserSyncWorker
/Library/Logs/UserSyncWorker.log

# Bundle IDs
com.utils.BarkBlitz
co.runtime.helper.b3f9a2

# Code Signing
Developer ID Application: OKAN ATAKOL (GNJLS3UYZ4)

# Build Metadata
Build tag:    vorona
Version:      1.1.2_release (x64_86 & ARM)

# Registrant Data
j.herbabzed.r@gmail.com
Michael Campagnolo / DomainHive LTD (BVI)
John Ramirez Hernandez / Hosting4You LLC (Anchorage AK)

MITRE ATT&CK Mapping

Tactic	Technique	ID
Initial Access	Spearphishing Link	T1566.002
Execution	User Execution: Malicious File	T1204.002
Execution	AppleScript	T1059.002
Execution	Unix Shell	T1059.004
Persistence	Launch Agent	T1543.001
Defense Evasion	Obfuscated Files	T1027
Defense Evasion	Code Signing	T1553.002
Defense Evasion	Indicator Removal	T1070
Credential Access	GUI Input Capture	T1056.002
Credential Access	Keychain	T1555.001
Credential Access	Credentials from Web Browsers	T1555.003
Credential Access	OS Credential Dumping	T1003
Discovery	System Information Discovery	T1082
Discovery	Process Discovery	T1057
Collection	Data from Local System	T1005
Collection	Local Data Staging	T1074.001
Collection	Archive via Utility	T1560.001
Exfiltration	Over C2 Channel	T1041
Supply Chain	Compromise Software Supply Chain	T1195.002

Recommended Actions

Immediate (24-48 hours):

Block all three C2 domains and IP 68.183.52.163 at DNS and proxy level
Report Apple Developer certificate GNJLS3UYZ4 to Apple for immediate revocation
Submit all IOCs to ThreatFox, URLhaus, and community threat feeds
Notify Cloudflare abuse for all three proxied domains

Short-term (1-2 weeks):

Deploy YARA and Suricata detection rules
Audit all Ledger Wallet and Ledger Live installations for modified app.asar files
Check macOS endpoints for /tmp/osalogging.zip, /tmp/sync* directories, and /Library/Application Support/UserSyncWorker
Investigate Google account j.herbabzed.r@gmail.com for additional infrastructure

Medium-term (1-3 months):

Monitor for new domains registered by the same entities or registrant patterns
Track OKAN ATAKOL developer certificate usage across code signing databases
Monitor MalwareBazaar for new MacSync/BarkBlitz variants
Coordinate with Apple SEAR team for comprehensive certificate revocation
Report to relevant CERTs and law enforcement

References

MalwareBazaar: Sample 4a6250d7...
CERT-PL MWDB: Sample analysis
ReversingLabs: MacOS.Trojan.Generic classification
FileScan.IO: Upload analysis

Published by Breakglass Intelligence -- intel.breakglass.tech Investigation conducted 2026-03-10