YARA Rule for Detecting the MacSync Stealer

December 8, 2025

This post follows up on my previous write-up, From Dead Link to Live Threat where I stumbled onto an active macOS malware campaign.

After dissecting the payload, one of the components turned out to be part of the MacSync Stealer family, a macOS infostealer that targets Chrome extensions and crypto-wallet directories through AppleScript.

To make future detection easier, I created a unified YARA rule that flags the full range of MacSync behavior: name markers, extension-ID harvesting, and the wallet-stealing AppleScript patterns.

rule MacSync_Stealer
{
    meta:
        description = "Detects MacSync Stealer family via name markers, extension harvesting, and AppleScript indicators"
        author = "FinnaCloud"
        severity = "critical"
        score = 200   // unified rule, extremely high-weight

    strings:
        $name_exact_1 = "MacSync\tStealer\n\n"
        $name_exact_2 = "MacSync Stealer"
        $name_loose   = /MacSync\s{1,20}Stealer/i
        $name_frag    = /M\s*a\s*c\s*S\s*y\s*n\s*c/i

        // Partial fragments (aggressive)
        $name_sub_1 = "MacSync"
        $name_sub_2 = "Stealer"


        // 32 lowercase-letter Chrome extension ID pattern
        $ext_id  = /"[a-p]{32}"/ nocase

        // pluginList chained assignment, typical MacSync behavior
        $plugin_join = /set pluginList to pluginList \&/i

        // Detect 10+ chained pluginList assignments (mass harvesting)
        $mass_ids = /(set pluginList to pluginList \&\s*){10,}/i


        // ---- APPLESCRIPT STEALER STRUCTURE ----
        $apple_rw = /readwrite\(.*Wallets\/Desktop/i


    condition:
        // ANY of these matches indicates MacSync-like stealer behavior

        // 1 — Name markers (very strong)
        any of ($name_exact_1, $name_exact_2, $name_loose, $name_frag, $name_sub_1, $name_sub_2)

        or

        // 2 — Massive pluginList extension-ID harvesting
        $mass_ids

        or

        // 3 — Normal extension harvesting logic
        ($plugin_join and $ext_id)

        or

        // 4 — AppleScript wallet-stealing mechanisms
        $apple_rw
}

If you’re analyzing AppleScript payloads, Chromium extension droppers, or anything involving wallet-path scraping on macOS, this rule should catch it.

Furthermore, I have yet to hear from abuse reports to CloudFlare and Public Domain Registry that I had sent out.