MacSync Stealer Campaign Impacting U.S. SLTT macOS Users

## Executive Summary CIS CTI details an active MacSync Stealer campaign targeting macOS users in U.S. State, Local, Tribal, and Territorial (SLTT) organizations that leverages SEO-poisoned search results and a ClickFix fake CAPTCHA to trick victims into running Base64-encoded Terminal commands that fetch a Zsh bootstrap and in-memory AppleScript payload; the malware exfiltrates browser credentials, wallets, Keychain and cloud credentials, and can trojanize Ledger applications to persistently capture seed phrases, with IOCs and API-key fingerprints identified for attribution.