Skip Navigation
BlackBerry Blog

Cyberattacks Targeting macOS vs Windows

There’s a longstanding notion that when it comes to cyberthreats, macOS® is somehow “safer” than Microsoft® Windows®. However, while that may once have been the case, today’s threat actors are no longer so discerning. Simply put, Macs are not a haven from cybercrime.

What Has Changed?

Windows has been the operating system (OS) of choice among enterprise organizations for decades, generating a wide breadth of available documentation for developers, and a vast and largely homogenous global software community for threat actors to target. In comparison, macOS is a comparative latecomer to the enterprise market. However, we continue to see the alternative OS making inroads into corporate environments. As the installed base of Macs within the enterprise grows, so does the risk and reward of targeting the Mac-centric user population.

Malware can be written to target a single OS, or many, and no platform is free of vulnerabilities for a determined threat actor to exploit. Security and IT leaders have the difficult task of weighing the risks and benefits and deciding on the best course of action for their organization. However, BlackBerry’s proactive cybersecurity philosophy is this: “To be forewarned of a threat is to be forearmed.” This article shares our recent research around key cyberthreats targeting macOS and Windows environments, highlighted by the BlackBerry team in our recent Global Threat Intelligence Report.

Our report analyzed malware-based attacks that occurred between Sept. 1 and Nov. 30, 2022. During that period, BlackBerry® endpoint security solutions powered by Cylance® AI stopped 1,757,248 cyberattacks. Our Threat Research & Intelligence team analyzed that data alongside various sources of cyber threat intelligence (CTI) to produce a guide that would help enterprises improve their security posture across both platforms.

Cyber Threats Against Windows

Let’s begin our exploration of this topic by looking at some of the most prevalent cyberthreats against Windows-based operating systems and devices.

Windows Downloaders

Downloaders lure victims to open files that in turn, download malware. The files frequently pose as legitimate digital documents or executables. Common downloaders targeting Windows include the following:

  • Emotet is one of the most prolific threats in current use. After a short break in activity in 2020, following efforts by law enforcement agencies worldwide to shutter its operations, Emotet reemerged with a phishing campaign to distribute malicious Microsoft® Office documents. These documents attempt to persuade a victim to copy them into an official Microsoft directory, where macros are automatically executed without asking for the user’s permission.

  • Qakbot (aka Qbot) is a polymorphic malware usually delivered through phishing techniques, using a lure email. The lure typically contains a LNK hyperlink that redirects to a malicious webpage containing a password-protected ZIP file that unpacks an ISO file. The LNK file executes JavaScript code that, in turn, executes Qakbot. An interesting Qakbot feature is its use of existing email threads as a means of propagation. Its ability to “reply to” recipients can make intended victims think that the link or attachment in the existing email thread is being sent from a trusted source.

  • GuLoader is frequently used to download and execute infostealers such as RedLine and Raccoon. It commonly abuses cloud-based services such as Google Cloud™ and OneDrive® to host its payloads; however, the BlackBerry Threat Research Team has also detected GuLoader using malicious Telegram messaging bots.

Infostealer Attacks Targeting Windows

With the post-pandemic rise of remote and hybrid work, the need for remote authorization to access internal networks has become widespread. Threat actors see this as an opportunity, often leveraging infostealers to purloin corporate credentials, either to gain illicit access to the networks directly, or to sell access on the black market. In the latter scenario, those stolen credentials may be distributed by initial access brokers (IABs) or used by ransomware-as-a-service (RaaS) affiliates to compromise a victim’s network and deploy ransomware. Common infostealers observed include the following:

  • Redline infostealer is the most active and widespread infostealer encountered during the observation period used for the most recent BlackBerry Global Threat Intelligence Report. The malware is capable of stealing credentials from numerous targets, including browsers, crypto wallets, FTP sites, and virtual private network (VPN) software.

  • Raccoon infostealer functions as a malware-as-a-service (MaaS) offering, enabling aspiring cybercriminals to “rent” its powerful features for as little as $100 a month. Raccoon can steal credentials from crypto wallets, browser extensions, Discord, and Telegram. It can also take screenshots and act as a loader to launch additional payloads.

RATs Targeting Windows

Remote Access Trojans (RATs) can log keystrokes, access the user’s webcam, steal browser credentials, and provide attackers with a remote command-line program that can execute shell commands on the infected device, as well as on other computers in the infected network. RATs observed during the reporting period analyzed by BlackBerry include the following:

  • njRAT has been deployed by financially motivated threat actors, as well as in more targeted attacks typically associated with cyber espionage and nation-state information gathering. Its builder program is widely available, making it easy for threat actors to adapt it to any desired attack model. It is most commonly associated with threat actors operating in the Middle East.

  • FlawedAmmyy is based on leaked source code for the legitimate remote access tool Ammyy Admin, which is used by both businesses and consumers to handle remote control and diagnostics on Windows machines. While FlawedAmmyy was primarily attributed to cybercrime group TA505 (known for performing ransomware operations through its Cl0p ransomware), it is now used by multiple cybercrime threat actors.

File Infectors Targeting Windows

File infectors work by infecting executable files and can spread via network shares or removable devices.

  • The Neshta file infector was first observed in 2003 and has previously been associated with BlackPOS malware, used to scrape credit card data from point-of-sale (POS) systems. BlackPOS was highly prevalent in attacks against the consumer goods, energy, finance, and manufacturing industries in 2018.

Cyber Threats Targeting macOS

Now let’s look at some of the most common types of cyberattacks against macOS right now.

Adware and Spyware That Have MacOS in Their Sights

Adware and spyware are by far the most widely seen cyberthreats impacting machines running macOS. These applications masquerade as legitimate software to take advantage of the user. Unlike threats that are placed on computers via a stealthy infection campaign, users often install adware and spyware themselves because they believe them to be legitimate applications.

A recent study by the BlackBerry Threat Research & Intelligence Team identifies the malicious application Dock2Master as the most frequently observed threat to macOS environments for the period studied. Dock2Master surreptitiously injects ads directly into webpages. Once someone visits one of these webpages, Dock2Master collects their personal and system data to sell on the black market. BlackBerry researchers discovered that 34% of client organizations that use macOS had Dock2Master on their networks, where it was found on 26% of their devices.

Browser Hijackers Continue Targeting macOS

While browser hijackers are not as common today as they were in the early 2000s, malicious actors are still deploying them. The most noticeable effect of a browser hijack is the user’s default search engine changing without consent. Browser hijackers also may monetize the installation of the malicious browser by stealing personal information stored in browsers and injecting paid ads into displayed web pages. In the Global Threat Intelligence Report, BlackBerry researchers detailed activity by browser hijackers such as OriginalModule, and SearchInstaller, which uses InstallCore to target multiple platforms.

Trojans Targeting macOS

Proxy malware is a type of Trojan that turns an infected system into a proxy server, allowing an attacker to remotely execute actions on the victim’s machine without consent. This typically turns the host computer into part of a botnet, from which an attacker can carry out attacks on additional targets. Proxy malware often supports fewer functions than other malware types, and this helps it to target a larger range of victims because fewer libraries are required. The GoLang programming language is used heavily in this class of malware, as its support for proxy libraries like Proxit makes development easy for novice cybercriminals.

Most proxy malware samples observed are proxy agents, which can attack browsers running on multiple platforms. Proxy agents represent another type of danger, as some variants are made with RAT-like capabilities, such as the ability to run local commands on infected machines.


The period analyzed by the BlackBerry threat researcher team for its quarterly threat report (and 2022 in general) revealed significant cybersecurity trends that are likely to continue throughout 2023 and beyond.

The most important takeaway is that no platform is “safe.” While Windows is still the most prevalent — and thus, the most attacked — OS, its users may be somewhat better prepared to face a malware attack than users of other OSes, who may still harbor the belief that they are at lower risk from cyberattacks. However, BlackBerry telemetry data shows that macOS, Linux®, and mobile users are also frequently attacked: No platform is immune.

Defending your organization against malware and cyberattacks requires in-depth knowledge of how and why threat actors are targeting your industry and environment, the tools that they use, and their possible motivations. This detailed knowledge provides contextual, anticipative, and actionable cyber threat intelligence that can reduce the impact of threats to your organization.

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry blog.

David Steinberg-Zwirek

About David Steinberg-Zwirek

David Steinberg-Zwirek is an Editorial Intern at BlackBerry.

Natasha Rohner

About Natasha Rohner

Principal Threat Research Publisher, BlackBerry

Natasha Rohner is Principal Threat Research Publisher of the BlackBerry Blog, BlackBerry’s cybersecurity publication.

As an internationally published author, writer, and editor, Natasha has 25 years of experience in both traditional and digital publishing. An avid science fiction fan, she's published 8 novels for large media companies such as Rebellion and New Line Cinema, including the official book adaptations of Hollywood movie franchises such as Blade, Final Destination, and Nightmare on Elm Street. Her original horror trilogy Dante’s Girl was published by Solaris, a division of gaming giant Games Workshop.

Natasha’s books have been translated into 9 languages including French, Polish, and Italian, and she's appeared as a guest speaker on author panels at Comic-Con in California. She has a BA Honors degree in Film Production from the University of Wales that she has literally never used.