Miró, Daniel Lastanao; Carrillo, Javier; Rodríguez, Ricardo J.
Characterizing Tactics, Techniques, and Procedures in the macOS Threat Landscape Journal Article
In: Computers & Security, vol. 162, pp. 104806, 2026, ISSN: 0167-4048.
Abstract | Links | BibTeX | Tags: macOS malware, Malware behavior, MITRE ATT&CK framework, Static and dynamic analysis
@article{Miro2026,
title = {Characterizing Tactics, Techniques, and Procedures in the macOS Threat Landscape},
author = {Daniel Lastanao Miró and Javier Carrillo and Ricardo J. Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/LastanaoCR-COSE-26.pdf},
doi = {10.1016/j.cose.2025.104806},
issn = {0167-4048},
year = {2026},
date = {2026-03-01},
journal = {Computers & Security},
volume = {162},
pages = {104806},
abstract = {As macOS systems increasingly become malware targets, understanding the tactics, techniques, and procedures (TTPs) used by adversaries is essential to improving defense strategies. This paper provides a systematic and detailed analysis of macOS malware using the MITRE ATT&CK framework, focusing on TTPs at key stages of the malware attack cycle. Leveraging a comprehensive dataset of 57,636 macOS malware samples collected between November 2006 and October 2024, we employ both static and dynamic analysis techniques to uncover patterns in adversary behavior. Our analysis, primarily based on static analysis techniques, offers a broad representation of macOS malware and highlights common characteristics across samples. While we only partially explore dynamic behaviors, we identify recurring patterns that align with specific TTPs in the MITRE ATT&CK framework, such as persistence and defense evasion. This mapping contributes to a more structured understanding of macOS threats and can help inform future detection and mitigation efforts.},
keywords = {macOS malware, Malware behavior, MITRE ATT&CK framework, Static and dynamic analysis},
pubstate = {published},
tppubtype = {article}
}
As macOS systems increasingly become malware targets, understanding the tactics, techniques, and procedures (TTPs) used by adversaries is essential to improving defense strategies. This paper provides a systematic and detailed analysis of macOS malware using the MITRE ATT&CK framework, focusing on TTPs at key stages of the malware attack cycle. Leveraging a comprehensive dataset of 57,636 macOS malware samples collected between November 2006 and October 2024, we employ both static and dynamic analysis techniques to uncover patterns in adversary behavior. Our analysis, primarily based on static analysis techniques, offers a broad representation of macOS malware and highlights common characteristics across samples. While we only partially explore dynamic behaviors, we identify recurring patterns that align with specific TTPs in the MITRE ATT&CK framework, such as persistence and defense evasion. This mapping contributes to a more structured understanding of macOS threats and can help inform future detection and mitigation efforts.