Miró, Daniel Lastanao; Carrillo, Javier; Rodríguez, Ricardo J.
Characterizing Tactics, Techniques, and Procedures in the macOS Threat Landscape Journal Article
In: Computers & Security, vol. 162, pp. 104806, 2026, ISSN: 0167-4048.
Abstract | Links | BibTeX | Tags: macOS malware, Malware behavior, MITRE ATT&CK framework, Static and dynamic analysis
@article{Miro2026,
title = {Characterizing Tactics, Techniques, and Procedures in the macOS Threat Landscape},
author = {Daniel Lastanao Miró and Javier Carrillo and Ricardo J. Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/LastanaoCR-COSE-26.pdf},
doi = {10.1016/j.cose.2025.104806},
issn = {0167-4048},
year = {2026},
date = {2026-03-01},
journal = {Computers & Security},
volume = {162},
pages = {104806},
abstract = {As macOS systems increasingly become malware targets, understanding the tactics, techniques, and procedures (TTPs) used by adversaries is essential to improving defense strategies. This paper provides a systematic and detailed analysis of macOS malware using the MITRE ATT&CK framework, focusing on TTPs at key stages of the malware attack cycle. Leveraging a comprehensive dataset of 57,636 macOS malware samples collected between November 2006 and October 2024, we employ both static and dynamic analysis techniques to uncover patterns in adversary behavior. Our analysis, primarily based on static analysis techniques, offers a broad representation of macOS malware and highlights common characteristics across samples. While we only partially explore dynamic behaviors, we identify recurring patterns that align with specific TTPs in the MITRE ATT&CK framework, such as persistence and defense evasion. This mapping contributes to a more structured understanding of macOS threats and can help inform future detection and mitigation efforts.},
keywords = {macOS malware, Malware behavior, MITRE ATT&CK framework, Static and dynamic analysis},
pubstate = {published},
tppubtype = {article}
}
As macOS systems increasingly become malware targets, understanding the tactics, techniques, and procedures (TTPs) used by adversaries is essential to improving defense strategies. This paper provides a systematic and detailed analysis of macOS malware using the MITRE ATT&CK framework, focusing on TTPs at key stages of the malware attack cycle. Leveraging a comprehensive dataset of 57,636 macOS malware samples collected between November 2006 and October 2024, we employ both static and dynamic analysis techniques to uncover patterns in adversary behavior. Our analysis, primarily based on static analysis techniques, offers a broad representation of macOS malware and highlights common characteristics across samples. While we only partially explore dynamic behaviors, we identify recurring patterns that align with specific TTPs in the MITRE ATT&CK framework, such as persistence and defense evasion. This mapping contributes to a more structured understanding of macOS threats and can help inform future detection and mitigation efforts.
Raducu, Razvan; Villagrasa-Labrador, Alain; Rodríguez, Ricardo J.; Álvarez, Pedro
MALVADA: A Framework for Generating Datasets of Malware Execution Traces Journal Article
In: SoftwareX, vol. 30, pp. 102082, 2025, ISSN: 2352-7110.
Abstract | Links | BibTeX | Tags: Dataset generation, Execution traces, Malware behavior, Malware classification
@article{RaducuVRA-SoftwareX-25,
title = {MALVADA: A Framework for Generating Datasets of Malware Execution Traces},
author = {Razvan Raducu and Alain Villagrasa-Labrador and Ricardo J. Rodríguez and Pedro Álvarez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/RaducuVRA-SoftwareX-25.pdf},
doi = {10.1016/j.softx.2025.102082},
issn = {2352-7110},
year = {2025},
date = {2025-05-01},
journal = {SoftwareX},
volume = {30},
pages = {102082},
abstract = {Malware attacks have been growing steadily in recent years, making more sophisticated detection methods necessary. These approaches typically rely on analyzing the behavior of malicious applications, for example by examining execution traces that capture their runtime behavior. However, many existing execution trace datasets are simplified, often resulting in the omission of relevant contextual information, which is essential to capture the full scope of a malware sample’s behavior. This paper introduces MALVADA, a flexible framework designed to generate extensive datasets of execution traces from Windows malware. These traces provide detailed insights into program behaviors and help malware analysts to classify a malware sample. MALVADA facilitates the creation of large datasets with minimal user effort, as demonstrated by the WinMET dataset, which includes execution traces from approximately 10,000 Windows malware samples.},
keywords = {Dataset generation, Execution traces, Malware behavior, Malware classification},
pubstate = {published},
tppubtype = {article}
}
Malware attacks have been growing steadily in recent years, making more sophisticated detection methods necessary. These approaches typically rely on analyzing the behavior of malicious applications, for example by examining execution traces that capture their runtime behavior. However, many existing execution trace datasets are simplified, often resulting in the omission of relevant contextual information, which is essential to capture the full scope of a malware sample’s behavior. This paper introduces MALVADA, a flexible framework designed to generate extensive datasets of execution traces from Windows malware. These traces provide detailed insights into program behaviors and help malware analysts to classify a malware sample. MALVADA facilitates the creation of large datasets with minimal user effort, as demonstrated by the WinMET dataset, which includes execution traces from approximately 10,000 Windows malware samples.