MacSync Stealer Part 2: 29 API Endpoints, a SOCKS5 Proxy Business, and the Same Apple Developer ID Still Signing Malware

In our previous MacSync Stealer coverage, we documented the Apple Developer ID (OKAN ATAKOL, GNJLS3UYZ4) signing macOS malware distributed through fake Zoom and Ledger installers. Apple has not revoked the certificate. The malware is still being signed.

This follow-up investigation started with a tweet from @suyog41 identifying a new MacSync C2 at 172.94.9[.]250. Building on existing vendor research from Jamf Threat Labs, Microsoft, and Sophos, we mapped the operator's management panel and discovered capabilities not previously documented.

The Panel

The C2 serves a React-based management dashboard. While authentication prevented direct access to victim data, the application's static JavaScript files exposed the complete API surface -- 29 endpoints revealing the platform's full capability set:

Payload Management

• Builder endpoint for generating customized macOS installers
• Lure templates: Zoom, Trezor Suite, Ledger, "oathBound"
• ClickFix delivery using fake macOS "install helper" password dialogs

Bot Operations

• Device inventory with OS version, hardware specs, and geolocation
• Remote command execution
• File grabber for targeted document exfiltration
• Google Cookies restore -- extracts and replays authentication cookies

Monetization

• SOCKS5 proxy activation on victim Macs (24-hour rotation)
• Telegram exfiltration across 4 separate channels
• Cryptochecker for cryptocurrency wallet balance verification
• Safe Exit anti-forensics to clean traces on command

Distribution

• Guest link system for affiliate access -- confirms MaaS model
• Multiple operator accounts with role-based permissions

The SOCKS5 Angle

The proxy capability is the most commercially significant finding. Each compromised Mac becomes a residential proxy node for 24 hours, cycling through the victim pool to maintain fresh IP addresses. Residential proxies from macOS devices command premium prices on proxy marketplaces -- $5-15 per IP per day -- because they appear as legitimate consumer traffic from Apple hardware.

This means MacSync has two revenue streams: direct credential theft and proxy resale. A botnet of even a few hundred Macs generates meaningful proxy income independent of whether the stolen credentials are ever monetized.

OKAN ATAKOL

The Apple Developer ID GNJLS3UYZ4 (registered to OKAN ATAKOL) continues to sign MacSync samples. Eight samples tracked on MalwareBazaar use this certificate:

• Zoom installer lure
• Trezor Suite lure
• Ledger wallet lure
• oathBound lure
• Multiple unnamed variants

We reported the certificate to Apple for revocation in our previous investigation. As of April 3, 2026, it remains valid. Every new MacSync build signed with this certificate bypasses macOS Gatekeeper without triggering a warning.

Infrastructure

Component	Detail
C2 IP	172.94.9[.]250 (Secure Internet LLC, Houston TX)
C2 domain	gatemaden[.]space (suspended, registered Nov 17 2025)
Panel	React SPA with REST API backend
Language	Russian-primary UI
Hosting	172.94.0.0/17, abuse contact: admin@pointtoserver.com

Detection

Three YARA rules and thirteen Suricata signatures covering the MacSync Mach-O binaries, C2 panel JavaScript artifacts, and ClickFix delivery ZIP patterns are available on our GitHub:

• STIX Bundle
• IOCs by investigation
• All YARA rules
• All Suricata rules
• Full IOC feed (JSON)

---

h/t @suyog41 for the new C2 IP.