Reversing macOS malware eBook Intro By Patrick Wardle

Attacks on the macOS platform are on the rise, but there’s a lack of material for those who want to learn about macOS malware analysis. SentinelOne is delighted to release this eBook to help security researchers learn about this increasingly important topic – Reversing Malware on macOS.

I’m strangely fascinated by malware. At a young age, tales of programs that could autonomously infect systems across the globe all the while stealthily avoiding detection seemed like the closest thing to “life” in cyberspace.

I craved more insight into these malicious creations, seeking answers to questions such as:

“How does malware infect computer systems?”
“To remain undetected, what stealth mechanism does the malware employ?”
“How can we generally detect such threats to ensure users remain protected?”

A job in the “Malicious Code Analysis” branch within the National Security Agency (NSA) gave me insight to many of these questions through the analysis of sophisticated “nation-state” malware designed to penetrate US government networks.

Since that time I’ve continually studied malware, though now I exclusively focus on specimens that target Apple’s macOS platform. And though malware continues to evolve, the methods used to analyze it remain largely the same. Analyzing Mac malware comes with a few unique challenges. First and foremost, the amount of malware that targets Cupertino’s desktop OS is far less than that which infects Microsoft PCs. This means fewer samples to analyze, limited analysis tools, and a smaller community of researchers publishing research or analysis on such threats.

These challenges inspired me to create the Mac security website “” and the World’s only Mac security conference, “Objective by the Sea.”

Both the site and conference seek to bring together knowledge and resources on Mac security topics such as Mac malware. The conference talks, website blogs, and comprehensive Mac malware collection are invaluable resources for both advanced Mac malware analysts and those that are just starting out.

However, one essential piece of the “malware analysis puzzle” was (until now!) missing. That piece, quite simply, was: where and how to begin malware analysis on the Mac platform?

Today, you’re reading an excellent resource that seeks to provide the foundations, knowledge, and tools needed for you to become a proficient Mac malware analyst. Starting with the (imperative) basics such as setting up a safe analysis environment, it will walk you towards more advanced topics.

Along the way, links to more in depth content and specialized tools will be provided for the more adventurous reader.

So read on to begin (or enhance) your Mac malware analysis journey!