New Security Tools Target Growing macOS Threats
Summary
Independent researcher Obinna Igbe and Airbnb security engineer Godwin Attigah have built MALET, the largest public dataset of macOS malware to date, and Katalina, an open-source, high-performance static analysis tool. MALET contains roughly 48,400 malicious and 22,907 benign Mach-O binaries and highlights common macOS malware traits such as entitlement misuse, scripting-interface abuse and anomalous code-signing. Katalina is a Golang-based, platform-agnostic analyser that extracts signing metadata, entitlements, embedded scripts and library links at scale. The pair will present their findings at Black Hat Europe 2025.
Key Points
- MALET aggregates ~48.4k malicious and ~22.9k benign macOS Mach-O binaries, creating a reproducible foundation for analysis.
- Katalina is a fast, open-source static analysis tool built to process thousands of binaries per minute on commodity hardware.
- Researchers found 96.1% of malicious samples in MALET are unsigned, exposing enforcement gaps in Apple’s code-signing model.
- Some signed samples were linked to DPRK-affiliated APT activity; a revoked certificate remained live for 760 days in one case.
- Credential-stealers are rising as a primary enterprise threat, and many AV/EDR solutions currently struggle to detect them early.
- The combined release of MALET and Katalina aims to help defenders improve detection, hunting and triage for macOS threats.
Context and Relevance
macOS has shifted from being perceived as relatively safe to a major target for attackers, yet it remains understudied. This work fills a crucial gap by providing both a large labelled dataset and a scalable analysis tool, enabling security teams, threat intelligence units and vendors to benchmark detections, tune EDRs and hunt more effectively. It also flags systemic issues around code-signing and certificate abuse that merit further investigation by Apple and the security community.
Why should I read this?
Short and blunt: if you protect Macs or care about endpoint threats, read this. These researchers have done the heavy lifting and handed defenders practical artefacts and tooling to speed up hunting and improve detection. It’s the kind of kit that saves you time and helps you plug real gaps.
Author style
Punchy: this is important and actionable. The dataset and analyser have the potential to change how teams prioritise macOS coverage; if you work in endpoint security, threat intel or incident response, the full detail is worth your attention.