Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

22 New Mac Malware Families Seen in 2024

Nearly two dozen new macOS malware families were observed in 2024, including stealers, backdoors, downloaders and ransomware. 

macOS malware

Nearly two dozen new macOS malware families were observed in 2024, according to Patrick Wardle, a reputable security researcher who specializes in Apple products.

The number of macOS malware families that emerged in 2024 was 22. This is roughly the same as in 2023, but significantly higher than in 2021 and 2022.

The latest macOS malware roundup looks at stealers, ransomware, backdoors and downloaders, and does not include adware and malware from previous years.

The list of macOS stealers that emerged in 2024 includes CloudChat, Poseidon (aka Rodrigo), Cthulhu, BeaverTail, PyStealer, and Banshee.

CloudChat focuses on cryptocurrency wallets and keys. PyStealer, Banshee and Poseidon steal cryptocurrency wallets, as well as browser and other data. BeaverTail is used by North Korean hackers to steal data and deploy additional payloads. 

In the macOS ransomware category, the cybersecurity industry spotted NotLockBit, which encrypts victims’ files while also implementing some basic stealer functionality.

In the backdoors/implants category we have the macOS malware named SpectralBlur, which has basic download, upload and execute capabilities, and which has also been linked to North Korean threat actors.

Another backdoor family is Zuru. Zuru was first spotted in 2021, but Wardle included it in the list as the samples spotted in 2024 may be a completely new malware, not just a new version of the known malware. 

Advertisement. Scroll to continue reading.

LightSpy, which has been linked to China, has been found to target not only macOS, but also iOS, Android and Windows. While the malware has been used for espionage, recent versions pack destructive capabilities. 

Another backdoor that emerged in 2024 is HZ Rat, which has been seen targeting users in China, and which gives attackers complete control over the infected macOS device. 

Other backdoors seen last year include Activator (downloader for backdoor and crypto-stealer), HiddenRisk (North Korean malware used in cryptocurrency attacks), and RustDoor.

The list of macOS downloaders spotted in 2024 includes RustyAttr, InletDrift, ToDoSwift, and DPRK Downloader (all linked to North Korea); EvasivePanda and SnowLight (linked to China); VShell Downloader, and Unnamed Downloader.

Wardle has made available technical details for each of these malware families, including information on infection vectors, persistence mechanisms, features, and capabilities. Samples have been made available for download.  

Related: Homebrew macOS Users Targeted With Information Stealer Malware

Related: Apple Patches First Exploited iOS Zero-Day of 2025

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.