For years, many teams treated macOS as “low-risk” compared with Windows. That comfort zone is gone. macOS market share has climbed, attackers followed the users, and the last few years brought a sharp rise in macOS-focused malware, especially credential stealers and APT tooling.
Yet the defensive side never fully caught up. Most EDR rules, threat intel, and SOC playbooks still skew toward Windows events and telemetry. Even where vendors claim macOS coverage, real-world detection tests keep finding blind spots.
That is the gap a pair of researchers are trying to close with two new resources: Malet, a large public dataset of macOS malware, and Katalina, a high-performance static analysis tool built to work at scale and on any platform.
𝐌𝐚𝐥𝐞𝐭: 𝐚 𝐩𝐮𝐛𝐥𝐢𝐜 𝐝𝐚𝐭𝐚𝐬𝐞𝐭 𝐨𝐟 𝐭𝐡𝐨𝐮𝐬𝐚𝐧𝐝𝐬 𝐨𝐟 𝐌𝐚𝐜𝐡-𝐎 𝐛𝐢𝐧𝐚𝐫𝐢𝐞𝐬
Malet aggregates 48,400 malicious and 22,907 benign Mach-O binaries, giving defenders a broad view of how macOS malware actually behaves in the wild. Instead of a handful of samples, you get tens of thousands, with labels that distinguish malicious from benign executables.
The dataset tracks macOS-specific traits that keep biting organizations in incident response:
• Misused security entitlements that unlock more capability than a legitimate app needs.
• Abuse of scripting interfaces (AppleScript, osascript, automation hooks) for stealthy execution.
• Code-signing anomalies and odd combinations of signing metadata that rarely appear in clean software.
During that work, the team found that 96.1% of the malicious samples – 46,540 binaries – are unsigned. That statistic alone should kill any lingering belief that “if it isn’t from the App Store, it must at least be signed.” Attackers still abuse stolen and revoked certificates, but much of the ecosystem simply runs unsigned code without enough friction.
𝐊𝐚𝐭𝐚𝐥𝐢𝐧𝐚: 𝐚 𝐬𝐭𝐚𝐭𝐢𝐜 𝐚𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐭𝐨𝐨𝐥 𝐭𝐚𝐢𝐥𝐨𝐫𝐞𝐝 𝐟𝐨𝐫 𝐦𝐚𝐜𝐎𝐒 𝐦𝐚𝐥𝐰𝐚𝐫𝐞
To make Malet useful in day-to-day defense, the same researchers built Katalina, an open-source static analysis tool written in Go. Instead of focusing on dynamic execution or sandboxing, it pulls out structural features from Mach-O binaries at high speed: entitlements, signing data, embedded scripts, imported libraries, and other signals.
Two design choices matter for security teams:
• Katalina is platform-agnostic. You do not need a Mac lab to start bulk-analysing macOS binaries.
• It aims for throughput, processing thousands of binaries per minute on commodity hardware. That is essential if you want to integrate it into CI pipelines, malware triage queues, or bulk telemetry backfills.
Together, Malet and Katalina give defenders a reproducible base for systematic macOS malware analysis instead of ad-hoc sample collections.
𝐂𝐨𝐝𝐞-𝐬𝐢𝐠𝐧𝐢𝐧𝐠 𝐠𝐚𝐩𝐬 𝐚𝐧𝐝 𝐍𝐨𝐫𝐭𝐡 𝐊𝐨𝐫𝐞𝐚𝐧-𝐥𝐢𝐧𝐤𝐞𝐝 𝐦𝐚𝐜𝐎𝐒 𝐜𝐚𝐦𝐩𝐚𝐢𝐠𝐧𝐬
When they dug into the signed binaries inside Malet, the researchers saw a pattern: revoked certificates tied to DPRK-linked APT activity, including cases where a certificate stayed live for more than two years before revocation.
That aligns with a wider trend. Recent research has shown North Korean operators experimenting with macOS malware built in cross-platform frameworks like Flutter, targeting cryptocurrency, Web3, and high-value professionals through fake job offers and tailored lures. These campaigns have bypassed Apple’s built-in protections more than once and slipped past common malware-scanning backends.
The lesson is simple: code-signing on macOS remains an important layer, yet it does not stop determined nation-state or financially motivated actors. You need visibility into how certificates actually get used, how long bad ones stay valid, and where those binaries run in your environment.
𝐂𝐫𝐞𝐝𝐞𝐧𝐭𝐢𝐚𝐥 𝐬𝐭𝐞𝐚𝐥𝐞𝐫𝐬 𝐚𝐫𝐞 𝐝𝐨𝐦𝐢𝐧𝐚𝐭𝐢𝐧𝐠 𝐭𝐡𝐞 𝐦𝐚𝐜𝐎𝐒 𝐥𝐚𝐧𝐝𝐬𝐜𝐚𝐩𝐞
Across enterprise fleets, credential stealers now dominate the macOS threat mix. Stealers go after browsers, password managers, Keychain items, crypto wallets, messaging apps, and session cookies. Multiple threat-intelligence teams have reported that stealers accounted for a huge share of macOS activity in late 2024 and early 2025, especially as attackers shifted toward data theft and account takeover rather than noisy ransomware.
The most worrying part for defenders: even well-known antivirus and EDR products often miss stealer families on Macs, particularly when the malware relies on scriptable automation, living-off-the-land binaries, or newly compiled variants that reuse infrastructure but change code shape.
Malet and Katalina can help here by surfacing the static traits that correlate strongly with stealer behavior, allowing teams to tune detections instead of relying on vendor defaults.
𝐇𝐨𝐰 𝐭𝐨 𝐮𝐬𝐞 𝐌𝐚𝐥𝐞𝐭 𝐚𝐧𝐝 𝐊𝐚𝐭𝐚𝐥𝐢𝐧𝐚 𝐢𝐧 𝐚 𝐒𝐎𝐂 𝐨𝐫 𝐑𝐞𝐝 𝐓𝐞𝐚𝐦 𝐰𝐨𝐫𝐤𝐟𝐥𝐨𝐰
From a practitioner’s point of view, the value of these tools comes from how you plug them into existing pipelines:
First, enrich your detection engineering. Run Malet samples through Katalina and look for features that map cleanly to your EDR’s telemetry: uncommon entitlements, abnormal AppleScript usage, rare signing combinations, and suspicious library imports. Translate those into EDR detection rules or SIEM hunts so your analysts stop treating macOS events as an afterthought.
Next, test vendor claims against reality. Many vendors advertise “first-class macOS support.” Malet gives you a way to challenge that. Build repeatable test suites: feed samples to your agents in a controlled lab and see which families generate alerts, which only show up as weak telemetry, and which remain invisible. That evidence helps you tune sensors, pressure vendors, or adjust your endpoint strategy.
Then, support research, training, and purple-team work. Threat-hunting exercises often gravitate to Windows because that is where the data is. With a publicly documented dataset and a fast analyser, you can run capture-the-flag style labs, teach junior analysts how macOS malware looks on disk, and practise response playbooks that include Macs, not just domain-joined Windows endpoints.
𝐒𝐭𝐞𝐩𝐬 𝐟𝐨𝐫 𝐨𝐫𝐠𝐬 𝐰𝐢𝐭𝐡 𝐥𝐚𝐫𝐠𝐞 𝐌𝐚𝐜 𝐟𝐥𝐞𝐞𝐭𝐬
If macOS represents a serious share of your endpoints – 20% or more is common in many US enterprises – treat this as an opportunity to reset your baseline.
Start by aligning visibility:
• Ensure your EDR, XDR, and SIEM pipelines ingest macOS events at the same level of detail as Windows.
• Map macOS-specific telemetry (launch agents, TCC prompts, AppleScript events, Mach-O metadata) to detection rules and dashboards.
Then update policy and hardening:
• Restrict where unsigned Mach-O binaries can execute; enforce tighter controls outside approved developer workflows.
• Monitor developer and build systems for unsigned or oddly signed tools; treat those as higher-risk assets.
• Fold macOS into your regular threat-hunting cadence instead of handling it only when an incident hits.
Finally, build feedback loops: when you respond to macOS incidents, feed the artifacts back into analysis tools like Katalina and re-train local detectors.
𝐀𝐜𝐭𝐢𝐨𝐧 𝐜𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭 (𝐬𝐡𝐨𝐫𝐭, 𝐝𝐞𝐟𝐞𝐧𝐝𝐞𝐫-𝐜𝐞𝐧𝐭𝐫𝐢𝐜)
Today
• Confirm you have full EDR and log coverage for macOS endpoints, not just Windows.
• Review current detections and hunts for macOS credential stealers and unsigned binaries.
This week
• Pilot Malet and Katalina in a lab; profile a subset of samples and derive candidate detection rules.
• Run a macOS-focused tabletop or purple-team exercise that includes signed DPRK-style malware and stealer scenarios.
This quarter
• Align macOS hardening, detection, and response with your Windows baseline.
• Integrate public macOS malware datasets into SOC training and regression tests for your tooling.
𝐅𝐀𝐐𝐬
Q: Why should we care about a public macOS malware dataset if we already pay for threat intel?
A: Because Malet offers transparent, reproducible coverage you can test yourself. Commercial intel feeds often summarise families, but they rarely give you the full set of binaries and features needed to benchmark your tools and rules in a systematic way. Dark Reading+2Napier Repository+2
Q: Does static analysis still matter when attackers use more fileless techniques?
A: It does. Static analysis surfaces patterns in entitlements, signing, and embedded scripts that fileless techniques still rely on somewhere in the chain. Combining that with behavior-based detection gives you better reach than either alone. arXiv
Q: Are Apple’s built-in protections enough for enterprise Mac fleets?
A: No. Recent campaigns from DPRK-linked and financially motivated actors bypassed Apple’s native controls and stayed undetected for meaningful periods. Enterprises need dedicated EDR, tuned detections, and fleet-level hardening on top of what the OS provides. Security Magazine+4Cybersecurity Dive+4westoahu.hawaii.edu+4
Q: How can smaller teams practically use these tools without a dedicated research group?
A: Start small. Use Malet and Katalina to generate a handful of high-signal rules – for example, around unusual entitlements and unsigned binaries with certain script patterns – and deploy those as targeted hunts before you attempt full-scale model training. Dark Reading+2Napier Repository+2
