9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Each year, Jamf—the popular Apple device management platform—releases its Security 360: Annual Trends Report, which gives a broad outlook of the macOS threat landscape currently facing businesses and users. The analysis uses anonymized real-world data collected from over 1.4 million Macs across 90 countries with Jamf software installed.
Now, Jamf is out with its latest edition, which uses data spanning the prior 12 months in 2025. The report offers many notable insights into what its seeing among customers, most interestingly the complete dominance of trojan malware, which even top infostealers, increased over 33% since Jamf’s 2024 outlook.
- 50% of all malware affecting Mac were trojans, up over 33% since 2024
- 44% of devices using Jamf had malicious network traffic
- 41% of devices have critically out-of-date operating systems
- 73% of devices have at least one vulnerable app installed
Let’s start with the biggest finding form Jamf’s latest 360 report: trojans. This particular type of malware went from 16.61% of total detections among Jamf customers in 2024 to 50.32% in 2025, a huge jump of over 33 percentage points.
The dominant trojan, Atomic Stealer (also called AMOS), accounted for 77.08% of all trojan activity. No other trojan malware was even close. And the dominant infostealer? Again, Atomic Stealer at 78.49%. The same malware family sitting at the top of both categories is absolutely wild, and not a coincidence. More and more infostealers use trojan backdoors for persistence, which is heavily inflating the trojan detection numbers.
“Infostealers are often the first stage in larger attacks,” Jamf states. “They can hold data for ransom or use it to infiltrate other accounts and systems. These features make infostealers a hot commodity for attackers, so many developers offer them as a service. Modern infostealers may establish a backdoor and persistence, allowing them to survive reboots and logouts and letting attackers send commands from C2.”
To be clear, while all infostealers technically act as trojans by disguising themselves to sneak onto victims’ Macs, not all trojans are infostealers. Many trojans attempt persistence for months, hiding in the background and establishing a backdoor connection for file exfiltration, downloading additional malicious code, or, more likely in an enterprise environment, encrypting local files (ransomware).
That said, Atomic Stealer is certainly blurring the lines between the two and shows no signs of slowing.
When I covered adware detections in 2024’s Jamf 360 report, adware was sitting at 28% of all malware detections. In 2025, it cratered to just 5.06%. In fact, overall PUAs (Potentially Unwanted Applications) dropped from 15.06% to 4.84%.
Adware use to be neck and neck with infostealers, now it’s a footnote…
This is another indication that the malware economy is continuing to shift more toward data theft over ad revenue.
Lastly, the report also highlights several new Mac malware families discovered by Jamf Threat Labs over the past year that are worth pointing out here.
Around November last year, DigitStealer was uncovered as a JXA-based infostealer completely undetected on VirusTotal. Jamf found that it uses some advanced anti-analysis techniques, including hardware detection that restricts execution to Apple Silicon M2 chips or newer.
“The malware deploys four memory-resident payloads that steal browser data, cryptocurrency wallets, and credentials, trojanizes Ledger Live by merging three separate components to evade detection and establishes persistence through a dynamic backdoor,” according to Jamf.
Even more recent than DigitStealer, MacSync Stealer was found to have evolved beyond the desperate drag-to-Terminal social engineering tricks we’ve been seeing to now deploying through code-signed and notarized Swift applications. From here, it can execute payloads without Terminal intervention or even warning to the user.
“This shift toward signed and notarized delivery reflects a broader trend where attackers disguise malicious code as legitimate applications to evade detection and bypass macOS security controls,” says Jamf.
You can see the entirely of Jamf’s Security 360: Annual Trends Report here.
Follow Arin Waichulis: LinkedIn, Threads, X
Subscribe to the 9to5Mac Security Bite Podcast for biweekly deep dives and interviews with leading Apple security researchers and experts:
FTC: We use income earning auto affiliate links. More.
You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel
