{
	"id": "bfbba721-831f-4384-8f54-95d7c834d0bf",
	"created_at": "2026-04-06T00:07:37.778473Z",
	"updated_at": "2026-04-10T03:20:17.564001Z",
	"deleted_at": null,
	"sha1_hash": "59bfe51dfc70c5924cb2b0eba0902debe422e6e8",
	"title": "Shlayer, No. 1 Threat for Mac, Targets YouTube, Wikipedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 171893,
	"plain_text": "Shlayer, No. 1 Threat for Mac, Targets YouTube, Wikipedia\r\nBy Tara Seals\r\nPublished: 2020-01-23 · Archived: 2026-04-05 22:28:29 UTC\r\nThe malware uses thousands of partner websites to spread malvertising code.\r\nThe malvertising-focused trojan known as Shlayer has burbled to the top of the malware heap when it comes to\r\ntargeting Mac users. It made up 29 percent of all attacks on macOS devices in Kaspersky’s telemetry for 2019,\r\nmaking it the No. 1 Mac malware threat for the year. To spread, it has been swindling visitors to websites with\r\nmillions of visitors, especially YouTube and Wikipedia, into clicking on malicious links.\r\nShlayer is a trojan downloader, which spreads via fake applications that hide its malicious code, according to\r\nKaspersky. Its main purpose is to fetch and install various adware variants. These second-stage samples bombard\r\nusers with ads, and also intercept browser searches in order to modify the search results to promote yet more ads.\r\nThus it’s perhaps not surprising that, out of the remaining Top 10 macOS threats detailed by Kaspersky for the\r\nyear, most of them were adware that Shlayer installs – namely, AdWare.OSX.Bnodlero, AdWare.OSX.Geonei,\r\nAdWare.OSX.Pirrit and AdWare.OSX.Cimpli.\r\nInfection Process\r\nShlayer generally arrives on users’ desktops via a malicious download. Kaspersky noted that the cybercriminals\r\nbehind the code have set up an elaborate distribution system with a number of channels leading users to download\r\nthe malware.\r\nTop 10 Mac Malwares of 2019 (click to enlarge)\r\n“Shlayer spreads via a partner network of thousands of websites, often targeting visitors of legitimate sites,\r\nincluding YouTube and Wikipedia,” Kaspersky explained in an analysis of the code, released Thursday. “YouTube,\r\nhttps://threatpost.com/shlayer-mac-youtube-wikipedia/152146/\r\nPage 1 of 3\n\nwhere links to the malicious website were included in video descriptions, and Wikipedia, where such links were\r\nhidden in the articles’ references.”\r\nTo put this affiliate network together, Shlayer’s operators court website owners (and those willing to, say, upload a\r\nYouTube video or edit a Wikipedia page) with a promise to monetize their sites in exchange for pushing malicious\r\nlinks pointing to Shlayer downloads. The crooks offer websites “relatively high payment for each malware\r\ninstallation made by American users, prompting over 1,000 partner sites to distribute Shlayer,” according to the\r\nresearch.\r\nMost of the campaigns hinge on entertainment themes. Unwitting web users searching for, say, a popular TV\r\nseries episode or a sports broadcast will be redirected to a fraudulent site claiming to offer content streams; in\r\nreality, the links on the site are pushing the malware.\r\nKaspersky has also seen advertising landing pages redirecting victims to fake Flash Player update pages.\r\nUnder the Hood\r\nOverall, Shlayer is being hosted for download on 700 different domains, to which the links redirect visitors. The\r\nmost recent Shlayer variant is Trojan-Downloader.OSX.Shlayer.e, Kaspersky analysis revealed, which stands\r\napart because it’s written in Python rather than Bash, as its prior versions were.\r\nShlayer Detections Over Time (click to enlarge).\r\nUpon initial download, the user is prompted to run an “installation” file.\r\n“However, the seemingly standard installer turns out to be a Python script, which is already atypical of macOS\r\ninstallation software,” the research explained. “The directory with executable files inside the application package\r\ncontains two Python scripts: gjpWvvuUD847DzQPyBI (main) and goQWAJdbnuv6 (auxiliary).”\r\nThe auxiliary script implements data encryption on the malware’s functions. Next, the main script generates a\r\nunique user and system ID, and also collects information about the version of macOS in use. Based on this data,\r\nthe GET query parameters are generated to download the ZIP file containing Shlayer.\r\n“The ZIP archive downloaded to the /tmp/%(sessionID) directory is unpacked to the /tmp/tmp directory using the\r\nunzip function,” Kaspersky explained. “The ZIP archive was found to contain an application package with the\r\nhttps://threatpost.com/shlayer-mac-youtube-wikipedia/152146/\r\nPage 2 of 3\n\nexecutable file 84cd5bba3870. After unpacking the archive, the main Python script uses the chmod tool to assign\r\nthe file 84cd5bba3870 permission to run in the system.”\r\nAfter that, the trojan runs the downloaded and unpacked application package using the built-in open tool, and\r\ndeletes the downloaded archive and its unpacked contents.\r\nSecond Stage Adware\r\nShlayer simply penetrates the victim system, loads the main payload, and runs it. After that, the second-stage\r\nadware takes over; in recent campaigns, Kaspersky observed Shlayer actively downloading the\r\nAdWare.OSX.Cimpli family.\r\nCimpli masquerades as a useful Mac utility (i.e., “Any Search”) – but in actuality installs a malicious extension in\r\nSafari, hiding the OS security notification behind a malware fake window.\r\n“By clicking on the buttons in the notification, the user in effect agrees to install the extension,” according to the\r\nresearch.\r\nThe extension is called ManagementMark, which monitors the victim’s online searches and redirects them by\r\ninjecting a script into the browser pages. The sample also loads the mitmdump tool, which is given permission to\r\nview HTTPS traffic via special trusted certificate that the malware adds to the system (also achieved by\r\nsuperimposing a fake window over the installation confirmation box). All traffic passing through mitmdump is\r\nthen processed by a script that redirects all user search queries to a SOCKS5 proxy.\r\n“Cimpli adware thus becomes firmly anchored in the system; in the event that traffic does not pass through the\r\nproxy server, the JS code of the extension injected in the page handles the redirection of queries,” according to the\r\nresearch. “The attacker gains access to the user’s search queries and can modify the search engine results to\r\ndisplay advertising. As a result, the user is inundated with unsolicited ads.”\r\nLuckily for macOS users, these campaigns are all aimed at feeding illicit advertising to victims, rather than\r\nsomething more dangerous, such as stealing financial data. However, the cybercriminals behind Shlayer could\r\nevolve their focus at any time, according to Kaspersky.\r\n“Despite macOS’ reputation as a much safer and more secure system, there are still cybercriminals trying their\r\nluck to profit from macOS users, and Shlayer is a perfect example,” the firm noted. “Furthermore, ever since\r\nShlayer was first detected, its infection algorithm has hardly changed, even though its activity barely decreased,\r\nmaking it an especially relevant threat.”\r\nSource: https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/\r\nhttps://threatpost.com/shlayer-mac-youtube-wikipedia/152146/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/"
	],
	"report_names": [
		"152146"
	],
	"threat_actors": [],
	"ts_created_at": 1775434057,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59bfe51dfc70c5924cb2b0eba0902debe422e6e8.pdf",
		"text": "https://archive.orkl.eu/59bfe51dfc70c5924cb2b0eba0902debe422e6e8.txt",
		"img": "https://archive.orkl.eu/59bfe51dfc70c5924cb2b0eba0902debe422e6e8.jpg"
	}
}