Common Windows Malware Can Now Infect Macs

A common form of malware on Windows systems has been modified into a new strain called "XLoader" that can also target macOS (via Bleeping Computer).

macOS Malware Feature
Derived from the Formbook info-stealer for Windows, XLoader is a form of cross-platform malware advertised as a botnet with no dependencies. It is used to steal login credentials, capture screenshots, log keystrokes, and execute malicious files. The malware was discovered by security researchers at Check Point Software.

A server hosting the macOS version of XLoader is available to bad actors on the dark web for $49 per month. Check Point tracked XLoader for a six-month period, seeing requests from 69 countries, indicating significant use across the world. More than half of all victims were based in the United States.

Formbook continues to be a prevalent threat, being part of over 1,000 malware campaigns in the last three years, and XLoader is expected to have even wider use given its cross-platform capability and greater level of sophistication.

Head of Cyber Research at Check Point, Yaniv Balmas, said that macOS's growing popularity has exposed it to increasing attention from cybercriminals, who see the platform as a worthwhile target.

While there might be a gap between Windows and macOS malware, the gap is slowly closing over time. The truth is that macOS malware is becoming bigger and more dangerous.

According to Check Point, XLoader is stealthy enough for it to remain hidden to most users. It is possible to check for its presence by using macOS's Autorun to check the username in the OS and look into the LaunchAgents folder, where entries with suspicious filenames should be deleted.

Tag: Malware

Popular Stories

iPhone 17 Pro and Air Feature

Two iPhone 17 Pro and iPhone Air Colors Appear to Scratch More Easily

Friday September 19, 2025 10:02 am PDT by
As reported by Bloomberg today, some of the new iPhone 17 Pro and iPhone Air models on display at Apple Stores today are already scratched and scuffed. French blog Consomac also reported on this topic. The scratches appear to be most prominent on models with darker finishes, including the iPhone 17 Pro and Pro Max in Deep Blue, and the iPhone Air in Space Black. Images Credit: Consoma ...
Apple Foldable Thumb

Foldable iPhone Like 'Two Titanium iPhone Airs' Joined at the Hinge

Monday September 22, 2025 2:16 am PDT by
Next year's rumored foldable iPhone will showcase an ultra-thin design resembling "two titanium iPhone Airs side-by-side," according to Bloomberg's Mark Gurman. Writing in the Q&A section of his latest Power On newsletter, Gurman says Apple's first foldable device will be "super thin and a design achievement," combining Apple's thinnest iPhone form factor with cutting-edge folding...
iOS 26

Everything New in iOS 26.1 Beta 1

Monday September 22, 2025 12:44 pm PDT by
Apple released the first beta of iOS 26.1 today, just a week after launching iOS 26. iOS 26.1 mainly adds new languages to Apple Intelligence, but there are a few other features that are worth knowing about. New Apple Intelligence Languages Apple Intelligence is now available in Danish, Dutch, Norwegian, Portuguese (Portugal), Swedish, Turkish, Chinese (Traditional), and Vietnamese. AirPo...
iOS 26

iOS 26.0.1 Coming Soon, Likely With iPhone Air and iPhone 17 Pro Fix

Thursday September 18, 2025 9:17 am PDT by
Apple is preparing to release iOS 26.0.1, according to a private account on X with a proven track record of sharing information about future iOS versions. The update will have a build number of 23A350, or similar, the account said. It is likely that iOS 26.0.1 will fix a camera-related bug on the new iPhone Air and iPhone 17 Pro models. In his iPhone Air review, CNN Underscored's Henry T. ...
iPhone 17 Pro Colors

iPhone 17 Pro Max Teardown Reveals Qualcomm's Snapdragon X80 Modem for 5G

Friday September 19, 2025 7:39 am PDT by
While the iPhone Air is equipped with Apple's custom C1X modem for cellular connectivity, all of the iPhone 17 models are outfitted with Qualcomm modems still. A teardown video shared on Chinese platform Bilibili today (via Reddit) appears to confirm the iPhone 17 Pro Max is equipped with Qualcomm's Snapdragon X80 modem in particular. The same modem is likely used in the iPhone 17 and iPhone ...
iPhone 17 Pro and Air N1 Feature

Some iPhone 17, iPhone 17 Pro, and iPhone Air Users Experiencing Intermittent Wi-Fi Issue

Monday September 22, 2025 8:44 am PDT by
Apple's latest iPhone models launched on Friday, and some early adopters of the devices are experiencing intermittent Wi-Fi issues. Affected customers say Wi-Fi connectivity periodically cuts out on the iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, and iPhone Air, with hundreds of comments about the issue posted across the MacRumors Forums, Reddit, and the Apple Support Community over the...

Top Rated Comments

Sciomar Avatar
55 months ago

No matter what these Mac’s are protected. Let’s be real here.
I know we should all know this but for everyone in the room, Mac's have always been able to get a virus. They were such a small subset of the computing world the payoff wasn't huge. Things have changed with the more mainstream adoption of Macs and now it's open season for the bad guys.
Score: 33 Votes (Like | Disagree)
npmacuser5 Avatar
55 months ago
How does one get this malware? Important to know one has it but how did one get it just as important.
Score: 24 Votes (Like | Disagree)
skitidetdu Avatar
55 months ago

It is possible to check for its presence by using macOS's Autorun to check the username in the OS and look into the LaunchAgents folder, where entries with suspicious filenames should be deleted.
Can somebody explain what this means?

Edit: found a LaunchAgents folder in the library. Don't understand what AutoRun is
Score: 23 Votes (Like | Disagree)
urgs Avatar
55 months ago

Infection path would be good information.

Also, I generally find LittleSnitch to be a great defense against this kind of thing (as long as the virus doesn't disable it). It may still exist, but you can identify it by network access.

Can somebody explain what this means?

Edit: found a LaunchAgents folder in the library. Don't understand what AutoRun isFound something at 9to5mac
Found something at 9to5mac

1. Go to /Users/[username]/Library/LaunchAgents directory
2. Check for suspicious filenames in this directory (example below is a random name)

/Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist

if there is a file named like above, it's very likely you have been infected
Score: 22 Votes (Like | Disagree)
Blackstick Avatar
55 months ago
So XProtect gets new definitions and this becomes a non-issue...
Score: 13 Votes (Like | Disagree)
TheYayAreaLiving ?️ Avatar
55 months ago
No matter what these Mac’s are protected. Let’s be real here.

When was the last time you encountered your Mac got a virus?
Score: 13 Votes (Like | Disagree)