Deep dive into MacSync Stealer (UserSyncWorker variant), a MaaS infostealer featuring Gatekeeper bypass via notarized Swift dropper, code signature validation, and multi-layer payload obfuscation

Deep dive into DeerStealer’s weaponization of legitimately signed Qihoo 360 Safe components for persistence and privilege escalation

Note: Please bear in mind that this is my first time publishing an analysis like this, and there may be mistakes. Therefore, please let me know if any facts are incorrect so that they can be corrected.

Introduction

This originated from a Microsoft Defender for Endpoint alert, where it was identified as a threat actor on one endpoint. The threat actor is labelled as Storm-1113. According to Microsoft, Storm-1113 is a group in-development, and with that we have limited information at this time. the source delivery for the URL is unknown, but I believe it was from a potential Phishing email.