Close Menu

Boost Your Defense: New Security Tools Combat Rising macOS Threats

Staff WriterBy No Comments6 Mins Read10 Views

Top Highlights

  1. Growing Threat Landscape: macOS has become a major target for attackers over the last decade, yet it remains understudied, leaving many defenders unaware of prevalent threats.

  2. Innovative Tools Developed: Researchers Obinna Igbe and Godwin Attigah are unveiling Malet, a comprehensive dataset of macOS malware, and Katalina, a powerful static analysis tool, at Black Hat Europe 2025 to enhance malware detection and defense.

  3. Unsigned Malware Findings: A staggering 96.1% of identified macOS malware samples are unsigned, challenging the assumption that only signed binaries can run, highlighting vulnerabilities in Apple’s security model.

  4. Emerging Threat Actors: The research points to the significant involvement of North Korean state-sponsored actors in the macOS malware ecosystem, with a rising trend of credential stealers posing a notable threat to enterprises.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘New Security Tools Target Growing macOS Threats’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

Once considered fairly immune to security threats, macOS in the past decade or so has become a major target for attackers. Still, it remains understudied by security researchers, and often defenders aren’t even aware of the significance and impact of the threats they face, nor exactly what they are.

Two researchers joined forces several years ago to change that. Independent researcher Obinna Igbe and Godwin Attigah, a security engineer for Airbnb, have collaborated to catalog currently active macOS malware, and develop a tool to help identify and defend against these threats in the environment. 

At Black Hat Europe 2025 next month, the two will unveil Malet, the largest public dataset of macOS malware to date, and Katalina, a new, open source, high-performance static analysis tool capable of processing thousands of binaries per minute on commodity hardware. They will present these and other findings in a session titled “Silence on macOS: What 70K Binaries Reveal About the MacOS Malware Ecosystem.”

“The macOS malware problem is much bigger than it’s made out to be,” Attigah explains to Dark Reading in a recent interview. He met Igbe about five years ago, when they were working together on insider threats at Google, and the two decided to collaborate, not only to change the industry’s perspective on macOS malware, but to help identify and fight it. 

Related:‘CitrixBleed 2’ Wreaks Havoc as Zero-Day Bug

“The primary output of this [research] is shedding light that macOS is not malware-free,” Igbe adds. “I think that should be obvious to the community by now.” 

Moreover, much of the macOS malware identified by the researchers is unsigned, challenging a long-held assumption that macOS binaries outside the official App Store must be signed to run, they said. This in turn presents a challenge not only for organizations but also for Apple, which they believe should be probing more deeply into how this is happening. 

The researchers have contacted Apple about their work through “unofficial channels,” and will formally request comments after they finalize their paper to be presented at Black Hat, which will likely happen on Nov. 21. Apple did not immediately respond to a request for comment from Dark Reading.

Tools for MacOS Defenders

Malet includes 48,400 malicious and 22,907 benign Mach-O binaries, characterizing macOS-specific malware traits, according to a paper that the two plan to present at Black Hat Europe. These characteristics include the misuse of security entitlements, the abuse of scripting interfaces, and anomalies in code signing.

Related:Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs

Through their development of Malet, the researchers discovered that 96.1%, or 46,540, of malicious samples are unsigned. This finding exposes critical enforcement gaps in the code-signing model that Apple should be investigating, the researchers noted.

“Not to throw Apple under the bus, but somehow threat actors are finding ways to steal certs or finding ways they sign them,” Igbe says.

As a companion to Malet, the researchers also will release Katalina, a Golang-based open source static analysis tool that extracts structural features and static indicators of potential malware behavior at scale. These indicators include entitlements, signing metadata, embedded scripts, and linked libraries.

“The primary objective [of Katalina] is to identify the core features that make a malware sample what it is,” Igbe explains. Importantly, the researchers built the tool to be platform agnostic, so users don’t have to be working on a macOS platform to analyze samples.

“Together, MALET and Katalina provide a reproducible foundation for systematic macOS malware analysis,” according to their paper.

MacOS Malware Tied to North Korean Threat Actors

During their research and development of MALET and Katalina, Attigah and Igbe also uncovered some trends about the current macOS malware landscape that they said also can be helpful for defenders. 

Related:Ollama, Nvidia Flaws Put AI Infrastructure at Risk

One is the prevalence of North Korean state-sponsored actors in targeting the macOS platform, they said. In fact, among the signed macOS binaries discovered, several had revoked certificates linked to an advanced persistent threat (APT) group tied to the Democratic People’s Republic of Korea (DPRK). Moreover, one of those remained online for 760 days before Apple revoked it.

“The DPRK has found a place in macOS malware,” Attigah says. “They are heavily invested in mimicking other companies and using co-signing certificates,” as well as building macOS malware, he adds.

Another trend the researchers identified is the rise of credential stealers, which emerged as a primary threat, especially across the enterprise. 

Moreover, both antivirus and endpoint detection and response (EDR) security technologies “are not doing a great job at finding them and blocking them early,” making the likelihood of infection that they will evade detection high, Attigah says. This further underscores the need to share tools such as Malet and Katalina with defenders.

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Continue Your Tech Journey

Dive deeper into the world of Cryptocurrency and its impact on global finance.

Discover archived knowledge and digital history on the Internet Archive.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.