Amphithéâtre Gaston Berger
macOS has long been perceived as a low-risk platform, often treated as a secondary concern compared to Windows and Linux. That assumption no longer holds. As MacBooks become increasingly common in corporate environments, adversaries have followed, turning macOS into a viable and attractive target for real-world attacks. This talk presents a practical, research-driven analysis of the recent evolution of macOS malware. Through hands-on experiments and real techniques, it explores how modern threats achieve execution, fileless operation, persistence, and evasion by abusing native macOS components. As organizations continue to expand their macOS footprint, security strategies often lag behind. Many defensive teams remain heavily focused on Windows and Linux, leaving macOS environments under-monitored, under-tested, and misunderstood. In this talk, I will share my journey researching and developing macOS malware from an adversarial perspective. The session focuses on how attackers leverage legitimate macOS mechanisms to achieve: - Initial execution and in-memory (fileless) techniques - Persistence through native system components - Evasion of endpoint security and detection tools Each technique is demonstrated using real experiments, with analysis of macOS internals and the behavior of commonly deployed security solutions. Rather than theoretical concepts, the talk emphasizes how these attacks work in practice, and why many defenses fail to stop them. The presentation also addresses a persistent myth, especially common in the Brazilian security community, that macOS is inherently safer or “immune” to malware. By examining real attack paths and defensive gaps, the session highlights the urgent need for improved detection strategies, visibility, and threat modeling on macOS. Attendees will learn: - How modern malware abuses internal macOS mechanisms - Real-world persistence techniques observed in active threats - How security tools react or fail, when faced with these attacks - Practical mitigation strategies to reduce exposure and improve detection This talk is intended for defenders, red teamers, malware researchers, and anyone interested in understanding how adversaries are actively adapting to the macOS ecosystem.
