MacSync Stealer: SEO Poisoning and ClickFix-Based macOS Malware Delivery Chain

CloudSEK analysts describe a multi-stage macOS campaign delivering "MacSync Stealer" via SEO-poisoned search results and ClickFix-style social engineering that tricks users into executing an obfuscated Terminal command. The chain fetches a staged zsh loader which runs AppleScript payloads to harvest browser credentials, crypto wallets (including desktop and extension data), SSH and cloud keys, and user documents, compresses and exfiltrates the data via chunked HTTP PUTs, and attempts post-compromise tampering of Ledger Live to enable long-term financial manipulation; the report includes domains, file IOCs, and defensive guidance.