Java applets have increasingly been used as a vector to de- liver drive-by download attacks that bypass the sandbox- ing mechanisms of the browser’s Java Virtual Machine and compromise the user’s environment. Unfortunately, the re- search community has not given to this problem the atten- tion it deserves, and, as a consequence, the state-of-the-art approaches to the detection of malicious Java applets are based either on simple signatures or on the use of honey- clients, which are both easily evaded. Therefore, we propose a novel approach to the detection of malicious Java applets based on static code analysis. Our approach extracts a num- ber of features from Java applets, and then uses supervised machine learning to produce a classifier. We implemented our approach in a tool, called Jarhead, and we tested its effectiveness on a large, real-world dataset. The results of the evaluation show that, given a sufficiently large training dataset, this approach is able to reliably detect both known and previously-unseen real-world malicious applets.