The 9to5Mac Security Bulletin is exclusively presented by Mosyle, the only Apple Unified Platform Our job is to make Apple devices ready to work and enterprise secure. Our unique integrated approach to management and security brings together the latest Apple-specific security solutions with fully automated Hardening & Compliance, Next-Gen EDR, AI-powered Zero Trust, and the most powerful and modern Apple MDM. The result is a fully automated Apple Unified Platform trusted by over 45,000 organizations, effortlessly and cost-effectively making millions of Apple devices ready to work. Request your ENHANCED TRIAL today and understand that Mosyle is everything you need to work with Apple.
Every year, the popular Apple device management platform Jamf publishes the Security 360: Annual Trends Report, providing a broad overview of the macOS threat landscape faced by businesses and users. The analysis uses anonymized real-world data collected from over 1.4 million Macs in 90 countries with Jamf software installed.
Now, Jamf has released its latest version using data covering the previous 12 months in 2025. The report offers many remarkable insights observed among its customers; the most interesting being the complete dominance of trojan malware. This has surpassed even the top-tier information stealers, which have increased by more than 33% since Jamf's 2024 outlook.
Main Findings
- 50% of all malware affecting Macs were trojans, an increase of over 33% since 2024
- 44% of devices using Jamf had malicious network traffic
- 41% of devices had critically outdated operating systems
- 73% of devices had at least one vulnerable application installed
Trojans Exploded, Outpacing Information Stealers
Let's start with the biggest finding in Jamf's latest 360 report: trojans. This particular type of malware rose from 16.61% of total detections among Jamf customers in 2024 to 50.32%; this represents an increase of over 33%.
The dominant trojan, Atomic Stealer (also known as AMOS), accounted for 77.08% of all trojan activity. No other trojan malware came close to this. And the most dominant information stealer? Again, Atomic Stealer at 78.49. The same malware family topping both categories is certainly wild and not coincidental. More information stealers are using trojan backdoors for persistence, which greatly increases the trojan detection numbers.
Jamf states, "Information stealers are often the first stage of larger attacks. They can hold data for ransom or use it to infiltrate other accounts and systems. These features make information stealers a hot commodity for attackers, which is why many developers offer them as a service. Modern information stealers can establish a backdoor and persistence that allows them to survive reboots and logouts, enabling attackers to send commands from C2."
To be clear, while all information stealers technically disguise themselves as trojans that infiltrate victims' Macs, not all trojans are information stealers. Many trojans aim to maintain persistence for months to establish a backdoor connection for file exfiltration, download additional malicious code, or encrypt local files in a more corporate environment (ransomware).
However, Atomic Stealer certainly blurs the lines between the two and shows no signs of slowing down.
Adware and PUAs Nearly Disappeared
When I addressed adware in the Jamf 360 report for 2024, adware accounted for 28% of all malware detections. In 2025, this rate has dropped to just 5.06%. In fact, general PUAs (Potentially Unwanted Applications) fell from 15.06% to 4.84%.
Adware was neck and neck with information stealers; now it has become a footnote...
This is another sign that the malware economy continues to shift towards more data theft.
Noteworthy New Malware
Finally, the report also highlights several new Mac malware families discovered by Jamf Threat Labs last year.
In November of last year, DigitStealer was discovered as a JXA-based information stealer without being detected at all on VirusTotal. Jamf found that it used some advanced anti-analysis techniques, including hardware detection that restricts execution on Apple Silicon M2 chips or newer.
According to Jamf, "The malware performs four in-memory payloads that steal browser data, cryptocurrency wallets, and credentials, trojanizing Ledger Live by combining three separate components and providing persistence via a dynamic backdoor."
More recently than DigitStealer, MacSync Stealer has evolved from the desperate terminal drag-and-drop social engineering tricks we have seen, now being distributed via code-signed and notarized Swift applications. From there, it can execute payloads without any alerts or terminal intervention to the user.
Jamf states, "This shift towards signed and notarized delivery reflects a broader trend of attackers attempting to evade detection by disguising malicious code as legitimate applications and bypassing macOS security checks."
You can view the full Jamf Security 360: Annual Trends Report here.
![User Experience: There's a Feature I Looked for in This MagSafe Battery [Video]](/resimler/kullanici-deneyimi-bu-magsafe-bataryada-aradigim-bir-ozellik-var-video.jpg)
![The CardPointers app can now integrate with ChatGPT and more [50% off]](/resimler/cardpointers-uygulamasi-artik-chatgpt-ve-daha-fazlasi-ile-entegre-olabiliyor-yuzde-50-indirim.webp)
Comments
(5 Comments)