New Wave of Malware: Over 20 New macOS Threat Families Discovered in 2024

Renowned macOS security expert Patrick Wardle reported that over 20 new families of malware targeting macOS were discovered in 2024. These include stealers, ransomware, backdoors, and downloaders. According to Wardle, the number of new macOS malware families in 2024 totals 22, which is roughly consistent with 2023 figures but significantly exceeds those of 2021 and 2022. It is important to note that adware and malware discovered in previous years are not included in this list.

Among the infostealers for macOS that emerged in 2024 are CloudChat, Poseidon (also known as Rodrigo), Cthulhu, BeaverTail, PyStealer, and Banshee. CloudChat specializes in stealing cryptocurrency wallet data and keys. PyStealer, Banshee, and Poseidon extract data from cryptocurrency wallets, browsers, and other information. BeaverTail is used by North Korean hackers for data theft and deploying additional payloads.

As for new ransomware targeting macOS, cybersecurity experts uncovered NotLockBit last year, which encrypts victims’ files and has basic data-stealing capabilities.

In the backdoors category, Wardle mentions SpectralBlur malware, which has basic downloading, uploading, and file execution capabilities. This threat is believed to be linked to North Korean hackers.

Another new backdoor family is Zuru. Initially spotted in 2021, Zuru was included in the 2024 list by Wardle as the samples discovered last year might represent entirely new malware rather than just a new version of Zuru.

Allegedly linked to China, LightSpy targets not only macOS but also iOS, Android, and Windows. While this malware was primarily used for espionage, its latest versions also possess destructive functionality.

HZ Rat is another backdoor that appeared in 2024. It was observed in attacks on users from China and gives attackers full control over an infected macOS device.

Among other backdoors that emerged last year, Wardle noted Activator (a backdoor loader and cryptocurrency thief), HiddenRisk (a North Korean malicious program used in crypto attacks), and RustDoor.

The list of downloaders for macOS in 2024 was expanded with tools such as RustyAttr, InletDrift, ToDoSwift, and DPRK Downloader (linked to North Korea); EvasivePanda and SnowLight (linked to China); VShell Downloader and Unnamed Downloader.

In his report, Wardle published technical details on each of the new malware families, including information on infection vectors, persistence mechanisms, features, and capabilities. Malware samples are also available for download.