{
	"id": "d8a07f2d-0c1c-468d-a3e6-3ab5adc4e182",
	"created_at": "2026-04-06T02:11:44.171603Z",
	"updated_at": "2026-04-10T03:20:29.664347Z",
	"deleted_at": null,
	"sha1_hash": "32dc842e0fbba5b4e38a8f3544e6a9010175d592",
	"title": "Maker of sneaky Mac adware sends security researcher cease-and-desist letters",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 816038,
	"plain_text": "Maker of sneaky Mac adware sends security researcher cease-and-desist letters\r\nBy Zack Whittaker\r\nPublished: 2017-12-13 · Archived: 2026-04-06 01:30:42 UTC\r\n(Image: file photo)\r\nThe maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced\r\nversion -- one that can gain root privileges and spy on the user's activities.\r\nNews of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher\r\nat Cybereason.\r\nThe adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper,\r\nwho has tracked the malware and its different versions for over a year.\r\nSerper's detailed write-up is well worth the read. The short version is that the adware, built by Israeli ad-tech firm\r\nTargetingEdge, poses as a legitimate installer, like a video player or document reader. Like other software, the\r\ninstaller asks for the user's password to install, tricking the user into turning over root privileges to the\r\ninstaller.Once it's hooked into the system, the installer uses a script to download further components from the\r\nadware's command and control server. The report said that the files used to maintain the adware's persistence on\r\nthe infected Mac tries to mask themselves as legitimate macOS functions to try to hide from the victim. What's\r\nhttp://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/\r\nPage 1 of 3\n\nnew in this version is that the adware uses macOS' native scripting language, AppleScript -- typically reserved for\r\nautomation -- to inject ads directly into the browser, rather than a proxy server that can be easily removed.\r\nTargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research.\r\n\"We've received several letters over the past two weeks,\" Serper told ZDNet. \"We decided to publish anyway\r\nbecause we're sick of shady 'adware' companies and their threats.\"\r\nHe said OSX.Pirrit is \"malware with a legal team.\"\r\nIt's not just Serper's opinion; 28 different antivirus engines identified TargetingEdge's software as malware\r\nthrough VirusTotal, an online malware detector.\r\nWe contacted TargetingEdge but didn't hear back from the company directly. A lawyer representing the company\r\nprovided ZDNet with a statement denying Serper's claims.\r\n\"Our product is not malware, it does not include any features of malware and it does not harm or damage or intend\r\n[sic] to cause any damages to the product user's device, nor 'hacks.' 'spy,' or 'takes over' the browser or uses any\r\nother 'malicious' or 'non-transparent' means,\" the statement said. \"We highly respect the privacy of our users, take\r\ngreat care in protecting our users' rights and privacy, and adhere to best practices as well as applicable law and\r\nprivacy related legislation.\"\r\nThe statement also denied any link to OSX.Pirrit.\r\nHowever, as Serper notes, in his previous research he linked the adware to TargetingEdge. In his latest report,\r\nthough most references to the company had been removed from the code, several domain names found in the code\r\nwere registered by the company. He also noted that a former employee sent his resume to Cybereason, which\r\nlinked the adware to TargetingEdge.\r\nWhen asked why the company sent a cease-and-desist letter, the lawyer said it \"never required Mr. Serper to not\r\npublish its report.\"\r\nZDNet independently verified the contents of the cease-and-desist letter, which contradict the company's\r\nstatement.\r\nCybereason said it \"stands by our report published yesterday.\"\r\nIt's rare, but not unheard of for security researchers to receive legal threats relating to their work. Last year we\r\nreported that auditing and tax giant PwC sent legal threats to security researchers try to stop them from revealing a\r\ncritical flaw, even though the researchers had gone through the responsible disclosure process.\r\nSerper said that OSX.Pirrit is a \"great example\" of how an ad-tech company borrows nefarious tactics found in\r\nmalware to make it harder for antivirus software to detect them. \"There is no difference between traditional\r\nmalware that steals data from its victims and adware that spies on people's Web browsing and target them with\r\nads, especially when those ads are for either fake antivirus programs or Apple support scams.\"\r\nhttp://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/\r\nPage 2 of 3\n\n\"If there's code that's mining data and hiding itself on a computer without any way of removing it, that's malware,\r\nplain and simple,\" he added.\r\nSource: http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/\r\nhttp://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/"
	],
	"report_names": [
		"maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter"
	],
	"threat_actors": [],
	"ts_created_at": 1775441504,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32dc842e0fbba5b4e38a8f3544e6a9010175d592.pdf",
		"text": "https://archive.orkl.eu/32dc842e0fbba5b4e38a8f3544e6a9010175d592.txt",
		"img": "https://archive.orkl.eu/32dc842e0fbba5b4e38a8f3544e6a9010175d592.jpg"
	}
}