{
	"id": "ee220000-feaf-4ced-a03e-03aeae73311e",
	"created_at": "2026-04-06T01:30:19.764644Z",
	"updated_at": "2026-04-10T03:21:53.591283Z",
	"deleted_at": null,
	"sha1_hash": "4ac568de7d92b73f9b8873c6da5d07f7a6e8f717",
	"title": "How CrowdStrike Analyzes macOS Malware to Optimize Automated Detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 301663,
	"plain_text": "How CrowdStrike Analyzes macOS Malware to Optimize\r\nAutomated Detection\r\nBy Paul-Danut Urian\r\nArchived: 2026-04-06 00:15:54 UTC\r\nRansomware (43% of analyzed threat data), backdoors (35%) and trojans (17%) were the most popular\r\nmacOS malware categories spotted by CrowdStrike researchers in 2021\r\nOSX.EvilQuest (ransomware), OSX.FlashBack (backdoor) and OSX.Lador (trojan) were the most\r\nprevalent threats in their respective categories\r\nTo strengthen customer protection, CrowdStrike researchers continuously build better automated detection\r\ncapabilities by analyzing and understanding how macOS threats behave\r\nUnderstanding the threat landscape and how threats behave is the first step CrowdStrike researchers take toward\r\nstrengthening customer protection. They based the following threat landscape analysis on internal and open source\r\ndata, which revealed that in 2021 the most commonly encountered macOS malware types were ransomware\r\n(43%), backdoors (35%) and trojans (17%). Each category is powered by a different motive: ransomware by\r\nmoney, backdoors by remote access and trojans by data theft.\r\n Figure 1. macOS\r\nThreat Landscape in 2021\r\nOSX.EvilQuest was the most prevalent macOS ransomware family in 2021, accounting for 98% of ransomware in\r\nthe researchers’ analysis, while OSX.Flashback accounted for 31% of macOS backdoor threats and OSX.Lador\r\naccounted for 47% of macOS trojans. Improving the CrowdStrike Falcon® platform’s ability to detect macOS\r\nthreats is a continuous process. CrowdStrike researchers constantly hunt, analyze and gain understanding of any\r\nmacOS artifact that looks even remotely suspicious to improve CrowdStrike's automated machine learning and\r\nbehavior-based protection capabilities. The fallacies that macOS cannot be harmed by threats or is targeted by\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/\r\nPage 1 of 7\n\nless-sophisticated malware still linger. This blog addresses some of the challenges and requirements our\r\nresearchers must meet when analyzing macOS threats. The deep understanding and knowledge they gain is used\r\nboth to create new features for structural parsing that augments our machine learning detection capabilities and to\r\nimprove the proficiency of our behavior-based protection.\r\nBiting Into the Apple\r\nmacOS malware research starts with the fundamentals, such as classifying macOS malware by file type; continues\r\nwith the capabilities, intended targets and general behavior of malware; and ends with obstacles researchers\r\nencounter when analyzing macOS malware. Threats that target macOS systems have the same goals as those\r\ntargeting any other operating systems; they range from spying and reconnaissance to cryptocurrency mining, file\r\nencryption, remote access, and adware-related hijack and injection.\r\nFile Type Classification for macOS Threats\r\nMalware developers often try to hide or mask file types in an attempt to trick users into executing them. File-type\r\nidentification also helps in establishing the tools required in the analysis. Figure 2 offers an overview of macOS\r\nmalware file types.\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/\r\nPage 2 of 7\n\nFigure 2. macOS malware by file types\r\nEven though most malware are compiled binaries, many non-binary file types are commonly encountered while\r\nanalyzing macOS malware; each has its own advantages and disadvantages for the adversaries that use them.\r\nExamples include:\r\nApple Disk Images (.dmg) are favored because they’re automatically mounted on execution; both\r\nOSX.EvilQuest (Figure 3) and OSX.Shlayer malware typically use this file type.\r\nPackages (.pkg, .mpkg) are another common file type abused by malware as they allow malware\r\ndevelopers to define preinstall and postinstall scripts that automatically run through the installation process.\r\nFor example, OSX.EvilQuest uses a malicious package — after mounting the .dmg file — that has a\r\npostinstall script that copies the malicious OSX.EvilQuest binary to /Library/mixednkey/ under the name\r\ntoolroomd.\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/\r\nPage 3 of 7\n\nAppleScripts or AppleScript variants like Run-only that are used for automating repetitive tasks are often\r\nabused by macOS threats such as OSX.OSAMiner, a popular cryptocurrency miner.\r\nDelivery and Infection Vectors\r\nOne of the most common methods of spreading malware involves using social engineering tactics in an attempt to\r\ntrick the user into manually infecting their macOS. Fake updates, fake applications, trojanized applications and\r\ntainted versions of legitimate applications are the most common methods used to trick users into installing\r\nmalicious software. For example, OSX.EvilQuest ransomware has been known to impersonate popular sound\r\nmixing applications (as seen in Figure 3), while trojans like OSX.Lador are distributed via spam emails that\r\ncontain malicious add-ons, cracked applications, free programs and fake updates.\r\nFigure 3. OSX.EvilQuest ransomware installing as fake Mixed In Key DJ application\r\nOther malware variants, such as OSX.XCSSET, are distributed via either malicious documents or supply chain\r\nattacks targeting legitimate software development tools such as Xcode, Apple’s IDE. More complex attacks use\r\nexploits in different applications or in compromised OS kernels or accounts. For example, older OSX.FlashBack\r\nbackdoor variants were known to use Java exploits to compromise targets. By understanding delivery and\r\ninfection vectors, researchers can take a layered approach to security, building protection capabilities to stop\r\nbreaches.\r\nPersistence and Tactics\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/\r\nPage 4 of 7\n\nMost threats, including macOS malware, attempt to ensure persistence to survive system reboots. Analyzing and\r\nunderstanding persistence tactics enables researchers to build behavior-based detections and train automated\r\nmachine learning (ML) detections. While one of the most common persistence mechanisms involves abusing\r\nLogin Items in macOS, other popular persistence tactics include abusing Launch Items, adding malware to\r\nscheduled tasks, or using cronjobs to execute tasks sometime in the future. The hijacking of dylibs was once one\r\nof the stealthiest persistence mechanisms, especially in binaries. For example, some 2012 variants of the\r\nOSX.FlashBlack backdoor used malicious libraries injected at load time into a process via the\r\nDYLD_INSERT_LIBRARIES environment variable (i.e., at load time the dynamic loader will examine the\r\nDYLD_INSERT_LIBRARIES variable and load all specified libraries); others used the dylib hijacking technique\r\nof planting a malicious dylib for an application that tries to load dynamic libraries from multiple locations.\r\nHowever, Apple has long since improved security and reduced the number of use cases for abusing\r\nDYLD_INSERT_LIBRARIES.\r\nChallenges in Malware Analysis\r\nMost malware, regardless of the targeted platform, make analysis difficult from the start by using anti-static\r\nanalysis methods, such as string-based obfuscation or code obfuscation and encryption. Scripts usually use\r\nobfuscation tools that randomize function and variable names and insert junk and useless code, while binaries\r\nmake use of packers or encryption. macOS malware also commonly uses debugger detection tactics, making\r\nanalysis a challenge for researchers. Such tactics include using the sysctl API to check if the process is under\r\ndebugging; calling the ptrace system call to prevent a debugger from attaching to the process; or even using built-in macOS commands to extract information about the machine.\r\nOn a Quest to Understand EvilQuest\r\nLet’s take a closer look at a mid-2020 OSX.EvilQuest ransomware sample and see how it implemented various\r\nanti-analysis methods to avoid virtual machines and debugging. Upon executing, OSX.EvilQuest first checked to\r\nsee if it was running in a virtual machine, in particular a sandboxed environment, by looking at the\r\nis_virtual_mchn function starting at address 0x0000000100007BC0. OSX.EvilQuest performed this check by\r\nusing a sleep function and calling the time function twice; the difference between the two time functions should\r\nreturn the time the malware used to sleep, yet because sandboxes usually patch sleep functions to quicken\r\nanalysis, the differences between the two timestamps would be different and the malware would know it is\r\nrunning in a sandboxed environment. Before the malware tries to ensure its persistence — as a launch daemon or\r\na launch agent, depending on the --noroot argument passed to the binary — it implements another two anti-analysis methods. The first one (is_debugging function starting at address 0000000100007AA0) is to check if the\r\nmalware is debugged, and the second one (prevent_trace function starting at address 0000000100007C20) is to\r\nprevent debugging using a ptrace call with the flag PT_DENY_ATTACH. Using the ptrace function call,\r\nOSX.EvilQuest uses different logics to make it more difficult for the analyst to spot the function call or to bypass\r\nthe mechanism by patching the binary in the debugger.\r\nCrowdStrike Protection for macOS\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/\r\nPage 5 of 7\n\nContinuous research into the trends and behavior of macOS malware is turned into expert input and knowledge\r\nthat’s used to augment CrowdStrike’s automated detection capabilities and build better protection for customers.\r\nIdentifying the file type, understanding the behavior, targets and potential persistence mechanisms of possible\r\nthreats, and knowing the possible obstacles an analyst may encounter in analyzing potential malware is crucial for\r\nbuilding a solution that provides comprehensive protection and visibility against threats.\r\nFig 3. - CrowdStrike Falcon® detection for OSX.EvilQuest malware sample (sha256:\r\n5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b ) using cloud-based machine learning\r\n(Click to enlarge)\r\nThe CrowdStrike Falcon® platform protects macOS workloads using machine learning and behavior-based\r\nindicators of attack (IOAs) to defend macOS systems against malware and sophisticated threats, while delivering\r\ncomplete visibility and context into attacks.\r\nIndicators of Compromise (IOCs)\r\nFile SHA256\r\nOSX.EvilQuest\r\nb34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a;\r\n5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b\r\nOSX.Shlayer 852ff1b97c1155fc28b14f5633a17de02dcace17bdc5aadf42e2f60226479eaf\r\nOSX.Lador\r\n30ca6a13a85ac1ea7858e8163d9c08d8bbd8ed8bc6e97498b5b02d6de042b51e;\r\n33ee40b89ee505bced8caaa4226223a0b9622b944e790fb5a704ffe6fce3eaa6\r\nOSX.XCSSET\r\na6141dfb0b6a242246d26afecfea00ed04dee24209f7d8d9bfef82042accd0f0;\r\n6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6;\r\nceb023a95b8ee954c31bc6aa47a8f1461e246fea939a57fc59bc4b457ccb61ff\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/\r\nPage 6 of 7\n\nOSX.FlashBack 8d56d09650ebc019209a788b2d2be7c7c8b865780eee53856bafceffaf71502c\r\nAdditional Resources\r\nLearn more about how CrowdStrike Falcon® extends protection for macOS here.\r\nDownload the CrowdStrike Falcon® for macOS data sheet here.\r\nLearn what others are saying about CrowdStrike — visit the CrowdStrike Industry Recognition and\r\nTechnology Validation webpage.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/"
	],
	"report_names": [
		"how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775439019,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ac568de7d92b73f9b8873c6da5d07f7a6e8f717.pdf",
		"text": "https://archive.orkl.eu/4ac568de7d92b73f9b8873c6da5d07f7a6e8f717.txt",
		"img": "https://archive.orkl.eu/4ac568de7d92b73f9b8873c6da5d07f7a6e8f717.jpg"
	}
}