Malware attacks on macOS systems have surged recently, with malicious activity especially focused on infostealers. Palo Alto Networks’ Unit 42 found that infostealers make up the largest part of macOS malware introduced in 2024. Some of the most popular infostealers found in the wild targeting macOS systems are Poseidon, Atomic, and Cthulhu, each with its own abilities. MacOS users are valuable targets for cyberattacks because threat actors can leverage the native infrastructure and benefit from consumer trust in macOS security.
The Rise of macOS Infostealers
An infostealer, as the name suggests, is a type of malware that exfiltrates data from target systems. In spite of the limited scope of this function, infostealer malware attacks can pose a catastrophic threat to organizations by endangering sensitive and critical data. Unit 42 detected an alarming 101% increase in macOS infostealers between Q3 and Q4 of 2024.
Cybercriminals can use infostealers to harvest large amounts of sensitive data, including credentials, financial details, proprietary information and intellectual property, and the personally identifiable information (PII) of employees and customers. Once this data is stolen, attackers are able to profit by selling it on the dark web, leveraging it to extort victims, or using it to their benefit in further attacks.
AppleScript as a Cybercrime Tool
AppleScript is a scripting language created for macOS programs which has the ability to enable the automation of other Mac applications. The syntax of the language is designed for use by the average person, in an attempt to make it accessible and relatively easy to pick up for users with macOS systems. Its legitimate uses include executing shell scripts and performing tasks like emptying the trash folder.
Unfortunately, the accessibility of the scripting language and its functionality for automation combine to make it an easy tool for bad actors to leverage. The ability to automate communication between applications and circumvent user interaction empowers malware actors to manipulate native software to deploy their attacks. Malware like Poseidon Stealer and Cthulhu Stealer leverage AppleScript to execute commands to obtain access to sensitive information.
One common social engineering tactic used in these attacks is to use malware like Poseidon Stealer to craft false system prompts that mimic the language of real macOS prompts, inspiring the user’s trust and deceiving them into taking further action. With this technique, the attacker can achieve a variety of ends, such as harvesting the target’s credentials or prompting them to modify security configurations.
Implications for macOS Security
Considerations for macOS security are often colored by a number of popular misconceptions. Many users believe that malware and adware are not significant threats, that system updates are unnecessary, that cybercriminals don’t see value in targeting Mac users, and that the built-in security features of the device are enough to stop those who do. These myths lead Mac users to let their guard down and grow complacent about security, making them easier targets for cyberattacks.
“The days of considering macOS immune to malware are over,” says Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). Organizations and individual Mac users alike must understand this and take steps to secure their systems against malware and other cyberattacks.
Protecting Against the Growing macOS Threat
To defend against these threats, security teams “should restrict AppleScript permissions, bolster endpoint detection, and enforce user training to counter social engineering tactics,” according to Soroko. “Routine patching, enhanced monitoring of system logs, and stricter control over application installations are critical to mitigating these growing risks.” Users are also encouraged to use best practices, including strong password hygiene, multi-factor authentication, data encryption, and security measures like firewalls.
For enterprises, investing resources in threat intelligence and behavioral detection can mitigate the risks of macOS threats. Threat intelligence can help block known malware from the system, and behavioral detection technology can analyze for anomalous access, execution, and user activity to flag potential unknown threats. While Apple’s security updates often address specific vulnerabilities, they will not be able to provide the level of security that many users mistakenly expect from macOS systems. Implementing dedicated security measures is necessary to adequately protect any system.
Conclusion
The increasing popularity of infostealers and other malware attacks against macOS systems emphasizes the need for heightened security awareness and improved cyber hygiene among macOS users. These systems are not secure against all threats by default, despite the common misconception. Attackers may even ramp up their targeting of macOS systems as they move to take advantage of a lack of security measures and easily manipulable software. Organizations and individuals are recommended to foster awareness of the threats to their systems and implement effective security tools and practices to prevent attacks.
