Nearly two dozen new macOS malware families were observed in 2024, according to Patrick Wardle, a reputable security researcher who specializes in Apple products.

The number of macOS malware families that emerged in 2024 was 22. This is roughly the same as in 2023, but significantly higher than in 2021 and 2022.

The latest macOS malware roundup looks at stealers, ransomware, backdoors and downloaders, and does not include adware and malware from previous years.

The list of macOS stealers that emerged in 2024 includes CloudChat, Poseidon (aka Rodrigo), Cthulhu, BeaverTail, PyStealer, and Banshee.

CloudChat focuses on cryptocurrency wallets and keys. PyStealer, Banshee and Poseidon steal cryptocurrency wallets, as well as browser and other data. BeaverTail is used by North Korean hackers to steal data and deploy additional payloads. 

In the macOS ransomware category, the cybersecurity industry spotted NotLockBit, which encrypts victims’ files while also implementing some basic stealer functionality.

In the backdoors/implants category we have the macOS malware named SpectralBlur, which has basic download, upload and execute capabilities, and which has also been linked to North Korean threat actors.

Another backdoor family is Zuru. Zuru was first spotted in 2021, but Wardle included it in the list as the samples spotted in 2024 may be a completely new malware, not just a new version of the known malware. 

LightSpy, which has been linked to China, has been found to target not only macOS, but also iOS, Android and Windows. While the malware has been used for espionage, recent versions pack destructive capabilities. 

Another backdoor that emerged in 2024 is HZ Rat, which has been seen targeting users in China, and which gives attackers complete control over the infected macOS device. 

Other backdoors seen last year include Activator (downloader for backdoor and crypto-stealer), HiddenRisk (North Korean malware used in cryptocurrency attacks), and RustDoor.

The list of macOS downloaders spotted in 2024 includes RustyAttr, InletDrift, ToDoSwift, and DPRK Downloader (all linked to North Korea); EvasivePanda and SnowLight (linked to China); VShell Downloader, and Unnamed Downloader.

Wardle has made available technical details for each of these malware families, including information on infection vectors, persistence mechanisms, features, and capabilities. Samples have been made available for download.  

Related: Homebrew macOS Users Targeted With Information Stealer Malware

Related: Apple Patches First Exploited iOS Zero-Day of 2025