Published:Sep 2, 2025

Cybersecurity|Cyberthreats

Windows users, beware: 7× more malware than macOS

Malware remains one of the main ways criminals steal money or data from people and companies. So far in 2025, Surfshark Antivirus has recorded 479K malware cases. Of these, 87% (419K) were on Windows, and the remaining 13% (60K) were on macOS. Since Windows holds 71% of the market share, attackers focus their efforts on the platform that offers the biggest catch.

Key insights

  • In 2025, Surfshark Antivirus recorded 419K malware detections on Windows (87.4% of the total), compared to just 60K detections on macOS (12.6%). This means that malware cases on Windows were nearly seven times higher than on macOS. While part of this difference reflects Windows’ larger footprint in both enterprise and home environments, it also highlights how attackers focus their efforts on platforms that offer the greatest potential impact. This also shows that macOS is not malware-proof, as is commonly thought¹, but is also susceptible to malware.
  • Historically, the most popular operating system (OS) for desktop computers has been Windows, although its market share gradually declined from 77% in 2020 to 71% in 2025. The second most popular OS is macOS, with a relatively stable worldwide market share of around 15% since 2024. When looking at specific countries' desktop OS market share: in the US, Windows holds 65% and macOS 23%; in the UK, Windows 65% and macOS 26%; in Germany, Windows 70% and macOS 21%; in France, Windows 72% and macOS 16%; in Spain, Windows 72% and macOS 13%; and in South Korea, Windows 85% and macOS 6%.²
  • Of the malware detected on macOS, viruses accounted for the largest share at 28%, followed by trojans at 26%, riskware at 15%, adware at 8%, exploits at 7%, and the remaining 16% falling into other miscellaneous categories. A virus is code that attaches to applications and spreads when the app is run. Trojans disguise themselves as legitimate programs but perform harmful actions or download more malware. Riskware is legitimate software that can be misused to compromise system security. Adware displays unwanted ads and is often bundled with free downloads. Exploits take advantage of software vulnerabilities to infect systems or install other threats.³
  • Windows has a major weakness when it comes to PowerShell scripts, as malware frequently exploits this vector to carry out malicious actions. This trend is reflected in the data: PS1 (PowerShell script) malware was the most common in 2025, accounting for 22% of identified malware, followed by trojans at 21%, viruses at 17%, heuristic detections (HEUR) at 14%, and potentially unwanted applications (PUA) at 11%. HEUR refers to generic or preliminary detections, often spotting unknown threats based on suspicious behavior, while PUAs are usually legitimate applications that try to use social engineering to make you install additional offers during the installation of the software you originally wanted.³ Other types of malware made up the remaining 15%.
  • An important factor in defending against malware, regardless of platform, is maintaining up-to-date software. Both Apple and Microsoft regularly release security updates for their operating systems (macOS and Windows, respectively) to address emerging vulnerabilities and threats. For example, as noted in the malware categories above, 7% of detected threats on macOS in 2025 were classified as exploits, which are specifically designed to take advantage of unpatched system flaws. Similarly, when a new update is released, hackers often rush to deploy attacks against users who have yet to patch their systems.
  • Looking at month-by-month data for Windows, July stood out with more than double the average number of threats detected compared to previous months. There were 100K detections in July, while the monthly average was 47K. This surge was primarily driven by PowerShell-related malware, which accounted for 52K detections in July alone. One reason why this surge occurred might be that PowerShell was a key tool in the exploitation of SharePoint vulnerabilities in July 2025. Threat actors used it to deliver web shells for credential theft and to load ransomware payloads by exploiting remote code execution flaws in SharePoint.⁴ April and May also saw spikes in PS1 activity, with 13K and 23K detections, respectively, though to a lesser extent. macOS didn’t have such outliers in the data. While monthly totals for each malware type fluctuated, including a moderate rise in trojans during May, no single month stood out with a dramatic spike in detections.

Methodology and sources

Data was collected anonymously from Surfshark Antivirus, covering the period from January 1 to August 24, 2025. We analyzed common threats targeting both Microsoft Windows and Apple macOS, identifying which types of malware were most prevalent on each platform. Additionally, we examined month-by-month trends in malware detections to identify periods of increased activity.

For the complete research material behind this study, visit here.

References:

¹ Apple Insider. What a new threat report says about Mac malware in 2024.² Statcounter. Desktop Operating System Market Share Worldwide.³ Surfshark. Different malware types.⁴ Unit 42. Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief.
The team behind this research:About us