Shlayer
Shlayer is a macOS malware family and trojan/downloader, first reported in February 2018, that is primarily associated with ad fraud through the installation of adware. It commonly masquerades as a legitimate installer, especially fake Adobe Flash Player updates, and is distributed via fake software update pages, malicious websites, compromised search results, low-reputation sites, malvertising, and redirect chains. Multiple reports describe it as one of the most prevalent macOS threats, with Kaspersky stating it was the most common macOS threat for nearly two years and accounted for almost 30% of its macOS detections in 2019.
Its core role is typically first-stage access: Shlayer penetrates the system, collects basic host information such as macOS version and identifiers, downloads secondary payloads, executes them, and then often removes staging artifacts. Observed variants have been implemented in bash, zsh, Python, and Mach-O forms. Reported behaviors include use of built-in macOS utilities such as curl, openssl, unzip, sqlite3, hdiutil, perl, plutil, defaults, system_profiler, xxd, mktemp, mdls, chmod, open, and killall. Several analyses note heavy obfuscation, including base64 and AES decryption, embedded encrypted ZIP content, encrypted blobs in scripts, and in one variant, AES-encrypted configuration data hidden inside a modified DMG structure between the plist and the 512-byte "koly" trailer. Shlayer has also been observed querying the LaunchServices QuarantineEventsV2 database, including checks for recent Amazon S3 download URLs, and using curl to fetch second-stage payloads in ways that can bypass Gatekeeper because curl downloads do not receive the quarantine attribute.
Shlayer is strongly associated with delivery of adware payloads, especially Bundlore, and has also been reported delivering AdLoad, Cimpli, Bnodlero, Geonei, and Pirrit. The downstream adware payloads have been described as installing malicious Safari extensions, intercepting browser searches, modifying search results for ad monetization, displaying intrusive advertisements, adding trusted certificates, and redirecting or inspecting traffic. Some campaigns also attempted to obtain the user’s password via misleading prompts. Persistence-related behavior described in the content includes installation of adware with persistence mechanisms and use of LaunchAgents in broader execution chains.
The malware’s infrastructure and delivery ecosystem have repeatedly been tied to fake Flash update campaigns, Amazon S3 and CloudFront hosting, and large-scale malvertising operations. Confiant linked Shlayer delivery to the VeryMal campaign and identified fake Flash update infrastructure on .icu domains; Confiant also described Yosec as a major distribution source for the trojan. Reported indicators and artifacts include the CloudFront domain d2hznnx43bsrxg[.]cloudfront[.]net, S3-hosted payload delivery, command-and-control domains and URLs used to retrieve ZIP payloads, and sample hashes including MD5 4d86ae25913374cfcb80a8d798b9016e, SHA-256 0fe475cc5da11e1f3ca5e0bc81d5ee406bdf4b4c428ebdab35f4dad63c0b9093, and SHA-256 063bbebb64e3b4f5f5844ca3cf46b69dc195e74a692bc9a977d35bed7edc0e3a.
The content also notes that Shlayer evolved to abuse Apple trust mechanisms: Objective-See reported it as the first malicious code notarized by Apple, and other reporting observed signed initial DMGs using legitimate Apple Developer IDs. Overall, the supporting material consistently characterizes Shlayer as a prolific macOS downloader/dropper whose main purpose is to install and launch additional adware or other malicious payloads while evading macOS protections through social engineering, obfuscation, and quarantine/Gatekeeper bypass techniques.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The bad actor is known for running large scale fake Flash update campaigns that are hosted on .icu domains by way of display ad auto-redirects: VeryMal Fake Flash Update — Shlayer Trojan
Yosec — ... They are a major source of distribution for the notorious Shlayer trojan: OSX/Shlayer ...
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
Note the decrypted string that corresponds to commands, OSX/Shlayer.F executes them via popen() function.
The malicious shell scripts used by Shlayer and Bundlore are usually malvertising-focused adware bundlers using shell scripts in the kill chain to download and install an adware payload.
However, the seemingly standard installer turns out to be a Python script, which is already atypical of macOS installation software.
Stealth
8 techniques
Stealth
The bash script in these variants decrypt the next stage encrypted blobs containing the next stage bash scripts using openssl with base64, Advanced Encryption Standard (AES), CBC (Cipher Block Chaining) to thwart security scanners.
That’s exactly what we saw with VeryMal’s offensive steganography and what we’re continuing to see with this use of harmless looking Firestore code.
The bash files download the second-stage adware payload which lures the victim to generally install a fake version of flash player as shown below.
After that, the Trojan runs the downloaded and unpacked application package using the built-in open tool, and deletes the downloaded archive and its unpacked contents.
Most variants of them are known to commonly leverage at least 3 of the 5 built-in macOS commands and utilities: openssl, curl, sqlite3, killall and funzip.
Use mdls to validate payload download sources and timestamps to guard against sandbox executions. mdls -name "kMDItemWhereFroms" -name "kMDItemDownloadedDate"
Defense Impairment
2 techniques
Defense Impairment
Discovery
6 techniques
Discovery
encrypted string ref in function 0x100020a50 decoded to : defaults read /System/Library/CoreServices/SystemVersion.plist ProductVersion
mdls list file metadata across standard metadata (creation date, size), extended attribute (quarantine), and Spotlight APIs (Finder flags).
Use mdls to print file paths and sizes when enumerating host resources. xargs -0 mdls -n kMDItemPath -n kMDItemFSSize
Use mdls to validate payload download sources and timestamps to guard against sandbox executions. mdls -name "kMDItemWhereFroms" -name "kMDItemDownloadedDate"
I could also see this used as an anti-sandbox check, since sandbox analysis systems won’t have such entry in the LSQuarantineEvent table when submitting a sample for analysis.
As mentioned above, this variant OSX/Shlayer.F queries QuarantineEventsV2 as follows: sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* ‘select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString like “%s3.amazonaws.com%” order by LSQuarantineTimeStamp desc limit 5’
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
I wanted to revisit the OSX/Shlayer.F variant of the Shlayer malware to report on a technique that has not previously been seen in other macOS malware for hiding Command and Control (C2) information. This variant encrypts its configuration using AES within the DMG file header structure, resulting in a modified DMG file.
IOCs tracked for this family
25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
macOS malware family cited as using curl to download secondary payloads and bypass Gatekeeper by avoiding quarantine attributes.
A Mac-focused trojan delivered via fake Flash update malvertising campaigns and auto-redirects. In this report, the campaign uses Firebase/Firestore-hosted payloads, fingerprinting, obfuscation, and redirects to deliver the Shlayer binary.
macOS malware commonly distributed via malvertising/redirects; in this context, Yosec is described as a major distribution source, redirecting users to malware pages that deliver Shlayer.
macOS malware commonly distributed via fake Flash update/malvertising landing pages; used as a loader to deliver additional payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.