According to Dark Reading, researchers Obinna Igbe and Godwin Attigah will unveil Malet and Katalina at Black Hat Europe 2025 next month. Malet contains 48,400 malicious and 22,907 benign Mach-O binaries, making it the largest public macOS malware dataset. Their research reveals that 96.1% of malicious samples are completely unsigned, directly challenging Apple’s code-signing security model. The researchers also identified North Korean state-sponsored actors actively targeting macOS users, with one signed malware sample remaining active for 760 days before Apple revoked its certificate. Their companion tool Katalina can process thousands of binaries per minute on standard hardware, providing defenders with open-source static analysis capabilities.
The macOS security myth is crumbling
Here’s the thing: we’ve been telling ourselves a comforting lie about macOS security for years. The whole “Macs don’t get viruses” narrative wasn’t just oversimplified—it was dangerously wrong. What Igbe and Attigah found is absolutely staggering. Nearly every malicious sample they cataloged bypassed Apple’s supposed gatekeeping mechanisms. That’s not just a few isolated incidents—we’re talking about systematic failure in the security model that Apple has built its reputation on.
And think about what this means for enterprise security teams. Most organizations running macOS deployments operate under the assumption that code signing provides meaningful protection. But if 96% of malware doesn’t even bother with valid signatures, what exactly are we defending against? The researchers are basically saying Apple needs to investigate how threat actors are either stealing certificates or finding ways to run completely unsigned code. That’s a fundamental crack in the foundation.
North Korea’s macOS playground
This might surprise you, but North Korean threat actors have apparently found macOS to be fertile ground. The researchers discovered several signed binaries with revoked certificates linked to DPRK APT groups. One sample remained active for over two years before Apple caught it. That’s 760 days of potential access to corporate networks, sensitive data, and intellectual property.
What’s particularly concerning is how these actors operate. They’re heavily invested in mimicking legitimate companies and using co-signing certificates to appear trustworthy. Basically, they’re playing the same social engineering games we see on Windows platforms, but with the added advantage that macOS defenders often assume they’re safer. When your security tools and teams aren’t looking for sophisticated macOS threats, state-sponsored actors have a much easier time.
New tools for an uneven fight
The researchers aren’t just pointing out problems—they’re building solutions. Their Black Hat Europe session will showcase both Malet as a comprehensive dataset and Katalina as a practical analysis tool. Katalina’s design is particularly smart—it’s platform agnostic, meaning security analysts don’t need macOS hardware to analyze macOS malware. That’s huge for resource-constrained security teams.
But here’s the real kicker: the researchers say current antivirus and EDR solutions “are not doing a great job” detecting these threats early. So even organizations that think they’re protected might be completely exposed. For industrial and manufacturing environments where reliability is critical—and where companies like IndustrialMonitorDirect.com provide the industrial panel PCs that run essential operations—this macOS blind spot could have serious consequences. When your production line depends on macOS systems, you can’t afford to discover threats after they’ve already caused damage.
What happens next?
The big question is how Apple will respond. The researchers have contacted Apple through unofficial channels and plan formal engagement after finalizing their paper around November 21. Apple’s typical approach has been to downplay macOS security concerns, but these findings are too significant to ignore. When independent researchers can catalog nearly 50,000 malicious samples and show that the core security model isn’t working, something has to change.
This research fundamentally shifts how we need to think about macOS security. It’s no longer about whether Macs can get infected—it’s about recognizing that they’re actively being targeted by sophisticated actors who’ve found ways around Apple’s defenses. The era of macOS security complacency is over, and tools like Malet and Katalina are exactly what defenders need to level the playing field.
