Hackers build custom Mac malware using GenAI
- Mac users need to stop believing that macOS is more secure than Windows
- Generative AI has helped non-coders create their own malware
- Social engineering remains the most common attack method
Cybersecurity experts from Moonlock warn about the increasing prevalence of advanced macOS malware created using generative AI.
In its 2024 Threat Report, Moonlock examined how publicly available tools like ChatGPT have allowed hackers to bypass the technical barriers they were previously exposed to to create malicious software more quickly.
The investigation revealed screenshots posted to darknet forums showing hackers using artificial intelligence to guide them step-by-step through the development of Mac-related malware.
AI helps build macOS malware
One of the examples given was a case involving Russian-speaking threat actor ‘barboris’, who admitted to building macOS malware without any prior coding experience thanks to generative AI. Using natural language prompts, Barboris was able to create an infostealer that could target keychain data and cryptocurrency wallet information.
The report summarizes: “The barrier to entry is lower than ever and AI has become a new ally for cybercriminals looking to launch macOS-targeted campaigns.”
Moonlock explains that the rise of malware-as-a-service (MaaS) has also made macOS malware more accessible than ever. Making MaaS options cheaper lowers the barriers for attackers and makes macOS malware more common than before.
The researchers argue that the rise of MaaS has made cybercrime a collaborative effort, creating new roles for makers and distributors.
Previously, Apple’s desktop operating system was favored over its Windows counterpart because it was less susceptible to cyber attacks, but the researchers explained that the idea that macOS is still as secure is now outdated.
Users are advised to treat macOS like any other operating system or internet-connected device by keeping the software up to date with security patches, downloading apps only from trusted sources such as the Mac App Store, and installing reputable third-party security tools.
While the threat environment may be changing, social engineering remains the most common way to force access, and all users should refrain from handing out sensitive information unless absolutely necessary.
“We expect to see an increase in stealers targeting macOS by 2025,” said Mykhailo Pazyniuk, Malware Research Engineer at Moonlock. “In 2024, we’ve seen several threat actors attempt to bypass Apple’s defenses, highlighting users as the weakest link in this attack chain. Therefore, threat actors haven’t put much effort into finding exploits in macOS itself.”
“One thing is certain: as many stealers eventually did their job and managed to exfiltrate sensitive user data and their crypto assets, the market for MaaS and macOS exploits will continue to grow in 2025, potentially providing more ways to go undetected stay for antivirus software,” Pazyniuk said.
