The statistics that has already been collected by numerous antivirus vendors related to macOS threats, quite convincingly suggests that the stories about the great security of Apple operating systems is nothing more than a myth.

At the same time, the biggest argument against the great protection of both iOS and macOS are attacks on home users. Most malware types that target Apple devices are related to adware. infection is a good example of this type of malware.

Over the past years, security experts have spotted many campaigns whose authors have bet that owners of iPhones, MacBooks, and other Apple devices do not expect to face malware attacks designed specifically for Apple platforms.

Let’s take a look at the most interesting targeted attacks on iOS and macOS that took place in 2015 through 2019.


Right after the discovery of the Skygofree Android variant, antivirus experts found and analyzed a malicious implant for iOS created by the same group of criminals. This malware was found after analyzing the infrastructure of the initial Android Skygofree. Researchers found several configuration files (MobileConfig) for iOS. These files were used to register devices on the Apple MDM server.

Sofacy XAgent

Antivirus lab experts are closely monitoring the activity of one of the most professional cyber espionage groups called Sofacy. Among many other things, this group has XAgent in its arsenal. XAgent is a set of malware, united by a common code base. However, each malware gets individually modified to infect a specific target OS, including iOS and macOS. The latest detected malware samples designed for iOS date back to the beginning of 2015. This mean that cybercriminals may temporarily lost interest in iPhones and iPads.

Bahamut-related malware

When examining the Skygofree iOS malware, security experts tried to find other malicious campaigns that used the same data related to Apple MDM systems collected by the Intrepidus Group and used to compromise iOS devices. As a result, several hackers’ servers were found. Presumably they belong to the Bahamut group and are active since 2017.

Operation AppleJeus 

In the course of the investigation of the attack on one big cryptocurrency exchange site undertaken by the Lazarus group, researchers found that the attackers sent phishing emails to potential victims. Those messages contained a link to a malicious macOS crypto-trading application.

Manuscrypt and ThreatNeedle 

In 2018, antivirus vendors discovered the suspicious activity of Manuscrypt. This malware is exclusively used by the Lazarus group. The new samples were noticeably different from the previous campaigns. New samples got a new name: ThreatNeedle.


Shortly after DarkMatter reported about Windshift in August 2018, Kaspersky Lab started its own investigation into the activities of that group. A lot of new interested information was collected about the macOS malware called Windtail.

More macOS malware from the Lazarus group

Several months later after the AppleJeus operation, a new activity of the Lazarus group was detected. It showed similar symptoms: companies from the financial sector were hit and previously unknown malware for macOS was used during the attack.

New version of iOS malware by FinSpy 

A new version of the FinSpy iOS malware was discovered in the wild at the end of 2018. This implant was part of the FinSpy Mobile software provided by a well-known tracking software developer, which later disposed of all interests in FinFisher.


Targeted attacks on iOS and macOS users, mainly corporate ones, represent an extremely dangerous, but still relatively rare threat. Several well-known cybercriminal groups are creating malware for these operating systems. The likelihood of becoming the victim is small. However, if you work in a financial organization like a bank, and an iPhone or MacBook is your corporate device, then the chances of getting infected get significantly increased. They actually increase so much that it is not recommend to rely on the lack of demand for Apple devices, and attend to more reliable protection. Moreover, it is expected an increase in targeted attacks on iOS macOS in 2020 – 2021.