The DMN Security Bite is proudly sponsored by Mosyle, the sole Apple Unified Platform. We specialize in making Apple devices efficient and secure for enterprises. Our distinct, integrated approach combines top-notch, Apple-focused security solutions, including fully automated Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and privileged access management, all supported by the most robust Apple MDM available. Consequently, organizations trust our automated Apple Unified Platform to prepare millions of devices effortlessly and affordably. Start your EXTENDED TRIAL today to see why Mosyle is your ultimate solution for Apple management.
Annually, Jamf—an esteemed Apple device management platform—issues its Security 360: Annual Trends Report, providing an expansive view of the macOS threat landscape facing businesses and consumers. The examination utilizes anonymized data collected from 1.4 million Macs across 90 countries with Jamf software in use.
Today, Jamf released its 2025 report, covering insights from the past year. This edition reveals several alarming trends, particularly a 28% increase in infostealer malware, which has emerged as the most prevalent Mac malware type.
Key findings from the report
- 32% of organizations have at least one device with critical (and upgradable) vulnerabilities
- Jamf recorded around 10 million phishing attempts last year, with 150,000 to 200,000 classified as zero-day attacks
- 25% of organizations faced social engineering attacks
- Infostealers continue to gain traction, now constituting 28.36% of all detected Mac malware
- 1 in 10 users clicked a harmful phishing link
- Over 90% of cyberattacks stem from phishing
Infostealers surpass adware
“What began as a tool for creatives and executives is increasingly integrating into the daily tasks of engineers and more. This continued integration broadens the attack surface for cybercriminals,” states Jaron Bradley, Director of Jamf Threat Labs.
It’s a longstanding myth that Macs are immune to malware. While this may have been somewhat accurate in the early 2000s, it is certainly not the case today. Their growing prevalence has made them targets, both in enterprise and personal use, despite Apple’s robust built-in security features like XProtect. Jamf’s report emphasizes the types of malware causing the most disruption.
For the first time, infostealers have outstripped adware as the predominant kind of malware identified among Jamf users, with a remarkable 28.08% increase, now accounting for 28.36% of total malware samples analyzed.
If you’ve been keeping up with Security Bite over the last year, this trend should come as no surprise. I’m actually surprised it took this long for Jamf’s research to confirm it.
As I reported about a year ago, researchers discovered an attempt by state-sponsored hackers from North Korea (DPRK) targeting Mac users with an infostealer disguised as a trojanized meeting application—BeaverTail.
Upon infection, the malware establishes a connection between the Mac and the attacker’s command and control (C2) server to steal sensitive information, such as iCloud Keychain credentials. It silently installs remote desktop software like AnyDesk and keyloggers to take over the device while collecting keystrokes. Infostealers typically aim at web browsers to grab credentials such as passwords and cryptocurrency wallet keys.
The elusiveness of infostealers, and malware in general, often stems from their ability to evade antivirus software like VirusTotal. Cybercriminals frequently upload their malicious executables to platforms like VirusTotal to ensure they are hidden effectively from popular scanners, which unfortunately means the “good guys” can see them as well.
What accounts for the rising popularity of infostealers?
We’ve witnessed a significant surge in infostealers in recent years, partly due to their accessibility and low entry barriers. For instance, underground criminal organizations are increasingly running Malware-as-a-Service (MaaS) models, where malware developers create infostealers and lease them to affiliates with minimal technical proficiency. These affiliates receive packaged malware for targeting their chosen victims.
Other factors contributing to their prevalence include quicker financial returns from attacks like ransomware compared to the painstaking timeframe required to see profits from more complex attacks.
Interestingly, Jamf’s report highlights the misuse of PyInstaller, an open-source tool for converting Python scripts into self-contained binaries. Attackers are now exploiting it to stealthily package harmful Python scripts for execution on potential victims’ machines. This is just one of many innovative delivery methods being employed.
How to protect against infostealers
Apple equips every Mac with a suite of built-in protective services against online threats, but these may not be sufficient on their own.
While you might already be aware of these tips, it’s essential to reiterate them for everyone.
- Conduct thorough research before installing any software outside the official Mac App Store
- Hover over links to verify their legitimacy before clicking
- Employ strong, unique passwords and two-factor authentication (opt for non-SMS; OTP is preferable)
- Be cautious when granting permissions to applications on your Mac
- Keep your devices and applications up to date
Jamf’s Security Trends Report is packed with valuable insights, and I highly recommend reading through it. You can find it here.
More in Apple security
Follow Arin: Twitter/X, LinkedIn, Threads
