Common Windows Malware Can Now Infect Macs - MacRumors
Skip to Content

Common Windows Malware Can Now Infect Macs

A common form of malware on Windows systems has been modified into a new strain called "XLoader" that can also target macOS (via Bleeping Computer).

macOS Malware Feature
Derived from the Formbook info-stealer for Windows, XLoader is a form of cross-platform malware advertised as a botnet with no dependencies. It is used to steal login credentials, capture screenshots, log keystrokes, and execute malicious files. The malware was discovered by security researchers at Check Point Software.

A server hosting the macOS version of XLoader is available to bad actors on the dark web for $49 per month. Check Point tracked XLoader for a six-month period, seeing requests from 69 countries, indicating significant use across the world. More than half of all victims were based in the United States.

Formbook continues to be a prevalent threat, being part of over 1,000 malware campaigns in the last three years, and XLoader is expected to have even wider use given its cross-platform capability and greater level of sophistication.

Head of Cyber Research at Check Point, Yaniv Balmas, said that macOS's growing popularity has exposed it to increasing attention from cybercriminals, who see the platform as a worthwhile target.

While there might be a gap between Windows and macOS malware, the gap is slowly closing over time. The truth is that macOS malware is becoming bigger and more dangerous.

According to Check Point, XLoader is stealthy enough for it to remain hidden to most users. It is possible to check for its presence by using macOS's Autorun to check the username in the OS and look into the LaunchAgents folder, where entries with suspicious filenames should be deleted.

Tag: Malware

Popular Stories

iphone 16e usb c feature

Apple Begins Selling a $419 iPhone

Monday July 6, 2026 6:29 am PDT by
Apple recently added the iPhone 16e to its refurbished store, with U.S. pricing starting as low as $419 for a model with 128GB of storage. Originally released in February 2025, the iPhone 16e is a lower-end device with a 6.1-inch OLED display, an A18 chip with 8GB of RAM for Apple Intelligence support, a single 48-megapixel rear camera, a 12-megapixel front camera, a USB-C port, an Action...
Apple TV Thumb 3

Everything Coming in the 2026 Apple TV 4K

Wednesday July 8, 2026 4:51 pm PDT by
The Apple TV 4K hasn't been updated since 2022, and it's due for a refresh. An update is planned for 2026, but Apple is likely going to wait to launch it after Siri AI launches in iOS 27. Design Apple TV design updates don't happen often, and that's not changing. The next Apple TV is going to have the same squircle shape as the current model, and it'll continue to be made from a black...
iphone 17 pro black feature

iPhone 18 Pro Battery Capacities Revealed by Regulatory Filings

Monday July 6, 2026 5:41 am PDT by
New Chinese regulatory certification filings appear to confirm the battery capacities of Apple's upcoming iPhone 18 Pro and iPhone 18 Pro Max models. According to new filings in China's C3 database, spotted by the leaker known as "Digital Chat Station" on Weibo, the iPhone 18 Pro is seemingly rated for 4,056mAh in China and 4,288mAh in the U.S., up modestly from the iPhone 17 Pro's 3,988mAh...

Top Rated Comments

65 months ago

No matter what these Mac’s are protected. Let’s be real here.
I know we should all know this but for everyone in the room, Mac's have always been able to get a virus. They were such a small subset of the computing world the payoff wasn't huge. Things have changed with the more mainstream adoption of Macs and now it's open season for the bad guys.
Score: 33 Votes (Like | Disagree)
npmacuser5 Avatar
65 months ago
How does one get this malware? Important to know one has it but how did one get it just as important.
Score: 24 Votes (Like | Disagree)
skitidetdu Avatar
65 months ago

It is possible to check for its presence by using macOS's Autorun to check the username in the OS and look into the LaunchAgents folder, where entries with suspicious filenames should be deleted.
Can somebody explain what this means?

Edit: found a LaunchAgents folder in the library. Don't understand what AutoRun is
Score: 23 Votes (Like | Disagree)
65 months ago

Infection path would be good information.

Also, I generally find LittleSnitch to be a great defense against this kind of thing (as long as the virus doesn't disable it). It may still exist, but you can identify it by network access.

Can somebody explain what this means?

Edit: found a LaunchAgents folder in the library. Don't understand what AutoRun isFound something at 9to5mac
Found something at 9to5mac

1. Go to /Users/[username]/Library/LaunchAgents directory
2. Check for suspicious filenames in this directory (example below is a random name)

/Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist

if there is a file named like above, it's very likely you have been infected
Score: 22 Votes (Like | Disagree)
TheYayAreaLiving 🎗️ Avatar
65 months ago
No matter what these Mac’s are protected. Let’s be real here.

When was the last time you encountered your Mac got a virus?
Score: 13 Votes (Like | Disagree)
Blackstick Avatar
65 months ago
So XProtect gets new definitions and this becomes a non-issue...
Score: 13 Votes (Like | Disagree)