A notarized, digitally signed Swift application is used to deliver a new version of MacSync. In order to get around Apple's Gatekeeper checks, it is posing as a messaging app installer. It has been discovered that the installer shows users instructions to right-click and launch the application, which is a common way to get around these security measures.

According to MacPaw's Moonlock Lab, MacSync has a feature-rich Go-based agent that allows for remote command and control in addition to basic data theft. The latest version is distributed as a code-signed and notarize Swift application within a disk image (DMG) file named "zk-call-messenger-installer-3.9.2-lts.dmg" that's hosted on "zKcall[.]net/download" Apple has since revoked the code signing certificate. Once parsed, the Base64-encoded payload matches Macsync, a renamed version of Mac.c that initially appeared in April 2025, according to Thijs Xhaflaire of Jamf.

According to him, the modifications and the use of dynamically populated variables indicate a purposeful change in the way the payload is retrieved and verified, probably with the intention of enhancing reliability or avoiding detection. According to Jamf, "this shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notARized."