ReaderUpdate
ReaderUpdate is a macOS Trojan loader/loader malware family. Reporting describes it as a loader used to serve the Genieo (also known as DOLITTLE) adware, and notes that it is typically used to download intrusive adware, though it could deliver other Trojan payloads. Research published in 2025 said the malware had been largely dormant since 2023, but new samples showed expanded implementation diversity intended to evade detection. ReaderUpdate has been observed in multiple language variants, including Python, Crystal, Rust, Nim, and a newly identified Go-based variant. High-confidence reporting characterizes it as a macOS malware loader with evolving capabilities centered on payload delivery and detection evasion through diverse codebases. No specific threat actor, industry targeting, or concrete IOCs are provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
ReaderUpdate is a macOS malware loader using multiple programming languages (Crystal, Nim, Rust, Go) to evade detection and deliver additional payloads.
Modular loader for macOS, written in multiple languages, used to deliver adware and potentially other malware.
macOS loader used to deliver Genieo/DOLITTLE adware; distributed via trojanized installers on third-party download sites.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.