{
	"id": "622b65cf-e9a5-4010-8bae-9c2121c9d10b",
	"created_at": "2026-04-06T00:11:49.448676Z",
	"updated_at": "2026-04-10T13:12:42.291777Z",
	"deleted_at": null,
	"sha1_hash": "6b4a6b179d844c4ccd87acf8599c5d2f1eb49ae8",
	"title": "New OSX/Shlayer Malware Variant Found Using a Dirty New Trick",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1284157,
	"plain_text": "New OSX/Shlayer Malware Variant Found Using a Dirty New\r\nTrick\r\nBy Jay Vrijenhoek\r\nPublished: 2018-04-24 · Archived: 2026-04-05 22:40:22 UTC\r\nMalware\r\nPosted on April 24th, 2018 by\r\nLast February, Intego researchers discovered a new variant of the OSX/Shlayer malware, disguising itself as an\r\nAdobe Flash Player update to infect systems with adware. OSX/Shlayer was also found in torrent downloads as\r\npart of (or pretending to be) software cracks.\r\nToday, Thomas Reed reported on a new variant of OSX/Shlayer that uses new tricks to get its job done. It installs\r\na configuration profile that forces a browser’s homepage to be set as “chumsearch[dot]com.” This profile would\r\ntake control of the homepage settings in Safari and Chrome and also set the “Open new window with” or “Open\r\nnew tab with” settings to use the Chumsearch URL. While we did not observe this behavior in our tests, we did\r\nfind a few other interesting things.\r\nHow are Macs getting infected?\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 1 of 9\n\nAs with the previously discovered Shlayer malware variants, this one comes as either a fake Adobe Flash\r\nPlayer or a crack (patch) to some kind of paid software. To pick up one of these fake Adobe Flash Player\r\ninstallers, one must wander around BitTorrent sites and it’ll surely pop up.\r\nTo obtain Shlayer as part of a software crack, BitTorrent sites are also to blame. This is not to say that this\r\nmalware variant, or any other variants, can’t be found on other possibly legit websites, but we have yet to spot\r\nShlayer there.\r\nOnce a user is tricked into downloading the fake Adobe Flash Player (or a site downloads it automatically), the\r\nresult is typically a self mounting disk image. The user is then presented with a window that looks mostly like\r\nthis:\r\nOnce the installer is launched, an agreement will pop up that looks absolutely nothing like the one included in the\r\nreal Adobe Flash Player installer, and two installation types are offered: Express (recommended) or Custom\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 2 of 9\n\nInstallation (expert). The wording is, of course, carefully chosen to deter users from selecting the Custom\r\nInstallation option and seeing what is really being installed.\r\nEven without scrolling through it, you can tell the presented agreement does not reference Adobe Flash Player,\r\ninstead it references Advanced Mac Cleaner. This should be a big red flag, but most users may be so accustomed\r\nto quickly clicking “OK,” “Continue” and “Agree” to finally get their installation going. (These windows could\r\nmention irrefutable proof Bigfoot exists and in all likelihood no-one would notice.)\r\nWhen the “Accept \u003e\u003e” button is clicked, the user will be presented with a password request.\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 3 of 9\n\nAnd when the “Ok” button is clicked, the installer will take over. A window will cover most of the screen and\r\ndisplay a progress bar asking the user to please wait. This window cannot be activated, moved or closed.\r\nWhat does OSX/Shlayer install?\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 4 of 9\n\nWith the installer window open, several components are downloaded in the background. This includes all or some\r\nof the following:\r\nChumsearch Safari Extension (though proper installation only worked once)\r\nMyShopCoupon+ (this fails to install and ends up in the root of the startup drive)\r\nAdvanced Mac Cleaner (ends up in the Applications folder)\r\nmediaDownloader (ends up in the Applications folder)\r\nMyMacUpdater (ends up in the Applications folder)\r\nAn actual Adobe Flash Player installer (mounts on the desktop)\r\nIt also adjusts the Homepage in Safari, and probably Chrome and other browsers as well, to:\r\nhttp: //www.chumsearch. com/search/?\r\nasset=hp\u0026wtguid=61409200915943979\u0026wtsrc=5409\u0026wtdt=042318\u0026wtbr=1\u0026wtpl=10.12.6\u0026v=5.0\r\nHowever, it fails to make further adjustments that would cause new windows or tabs to load this URL.\r\nChumsearch mimics a (very poor) Google search website, which will pop up any time the homepage is\r\nrequested. This page also features an ad from another company, which should raise red flags right away.\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 5 of 9\n\nIntego VirusBarrier detects Chumsearch and all of its components as OSX/Chumsearch.\r\nAdvanced Mac Cleaner is scareware. It shows a scanner that found a lot of issues on your Mac and, of course,\r\nclaims that the way to fix all these issues is by paying up to $107. This application will pop up after every restart.\r\nIntego VirusBarrier detects Advanced Mac Cleaner and all of its components as OSX/AMC.fs.\r\nMyMacUpdater is another Potentially Unwanted Program (PUP), which did not install in this particular round of\r\ntesting. However, we have encountered it before and Intego VirusBarrier detects it as OSX/Bundlore.\r\nOSX/Shlayer is simply the dropper that acts as the gateway to your system and installs a host of other\r\ncomponents, such as those mentioned above. This variant uses double base64 encoding to make it harder for\r\nmalware researchers to, well, research. For example, the Shlayer installer is called on this path:\r\n\"YlcwdGFXNXpkR0ZzYkMxdFlXTnZjeTVoY0hBdlEyOXVkR1Z1ZEhNdlRXRmpUMU12YlcwdGFXNXpkR0ZzYkMxdFlXTn\r\nWhich is an encoded version of:\r\nbW0taW5zdGFsbC1tYWNvcy5hcHAvQ29udGVudHMvTWFjT1MvbW0taW5zdGFsbC1tYWNvcwo=\r\nWhich is an encoded version of:\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 6 of 9\n\nmm-install-macos.app/Contents/MacOS/mm-install-macos\r\nBy double encoding data, it doesn’t fool automated processes, but it makes the discovery and analysis by humans\r\na bit trickier.\r\nAccording to Thomas Reed, this new Shlayer variant uses a new trick.\r\nIn the case of this Crossrider variant, the configuration profile that is installed forces both Safari and\r\nChrome to always open to a page on chumsearch[dot]com. This also prevents the user from changing\r\nthat behavior in the browser’s settings.\r\nImage credit: Thomas Reed\r\nThis is not behavior we were able to reproduce, but we have seen at least one other report of this configuration\r\nprofile being installed by a web developer in the MacAdmins Slack.\r\nShould Mac users be concerned about OSX/Shlayer?\r\nCurrently, Shlayer has been found only on BitTorrent websites, disguised as fake Adobe Flash Player installers or\r\nembedded in downloaded torrent files posing as cracks. Therefore, if you do not frequent such websites—and you\r\nshouldn’t because BitTorrent sites are a malware cesspool—chances of infection are at the moment very low.\r\nIf there is an increased risk of infection, users should be concerned. The injecting of ads and hijacking of the\r\nhomepage are just one aspect of this malware. The Safari and Chrome extensions can do the following:\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 7 of 9\n\nRead content from webpages you visit\r\nModify content on webpages you visit\r\nTransmit content from webpages you visit\r\nThis includes names, passwords, phone numbers, email addresses, credit card details and much more. Having your\r\nonline bank statement or Amazon login details transmitted to an unknown party is certainly not ideal.\r\nHow to tell if your Mac is infected (and removal instructions)\r\nA dropper like Shlayer can download and install anything it wants. The components that end up on your Mac are\r\ndictated by the servers it connects to and the instructions programmed into it. These kinds of installer are also\r\nconstantly modified to include new techniques (such as the one found by Thomas Reed) and install new\r\ncomponents. As such, it is not possible to give a definitive list of components to search for, but in the case of this\r\nparticular OSX/Shlayer variant, we know of these components:\r\n/Applications/Advanced Mac Cleaner\r\n/Applications/MyMacUpdater\r\n/Applications/MyShopcoupon\r\n/Applications/mediaDownloader\r\n/Library/LaunchAgents/com.MyMacUpdater.agent.plist\r\n/Library/LaunchAgents/com.MyShopcoupon.agent.plist\r\n~ Library/LaunchAgents/com.pcv.hlpramcn.plist\r\n~ Library/Safari/Extensions/Chumsearch+.safariextz\r\n~ Library/Application Support/amc\r\n~ Library/Caches/com.apple.Safari/Extensions/Chumsearch+.safariextension\r\n/myshopcoupon.safariextz\r\n/mm-plugin.dylib\r\nIn case you did stumble upon the particular installer Thomas Reed mentions, also have a look here:\r\nOpen System Preferences and look for “Profiles”. If a profiles option is available, click on it and look for\r\nprofiles that don’t belong (there might be legitimate profiles there if your Mac is managed by your work\r\nand/or an IT staff). In this case look for “AdminPrefs”, select it and click the “-” to remove it. If your Mac\r\nis managed by an IT staff, contact them to have them remove it or give you the OK to remove it yourself.\r\nIT admins can find removal instructions in Reed’s report.\r\nAnd finally don’t forget to delete the original file that got Shlayer on your Mac in the first place. This will\r\nmost likely reside in your Downloads folder\r\nIf any of these components are found on your Mac, delete them, restart your Mac and empty the trash.\r\nHow to protect yourself from OSX/Shlayer\r\nIntego VirusBarrier detects and eradicates this new malware variant (and several others) as OSX/Shlayer.C. Use\r\nof Intego’s anti-virus software will block and remove all known components of Shlayer malware. Also using a\r\ntwo-way firewall solution, such as Intego NetBarrier, can offer additional protection as it will alert you of any\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 8 of 9\n\nconnection attempts to/from applications on your Mac, which allows you to spot suspect behavior and block it\r\nbefore personal data escapes your computer.\r\nWe strongly encourage you to stay away from BitTorrent sites as this will reduce your exposure to malware\r\nsignificantly. You may also consider avoiding the use of Adobe Flash Player in general, so you won’t be tempted\r\nto install a fake Flash Player update that’s riddled with malware.\r\nAbout Jay Vrijenhoek\r\nJay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →\r\nSource: https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nhttps://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\r\nPage 9 of 9\n\n  https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/     \nAnd when the “Ok” button is clicked, the installer will take over. A window will cover most of the screen and\ndisplay a progress bar asking the user to please wait. This window cannot be activated, moved or closed.\nWhat does OSX/Shlayer  install?     \n    Page 4 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/"
	],
	"report_names": [
		"new-osxshlayer-malware-variant-found-using-a-dirty-new-trick"
	],
	"threat_actors": [],
	"ts_created_at": 1775434309,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b4a6b179d844c4ccd87acf8599c5d2f1eb49ae8.pdf",
		"text": "https://archive.orkl.eu/6b4a6b179d844c4ccd87acf8599c5d2f1eb49ae8.txt",
		"img": "https://archive.orkl.eu/6b4a6b179d844c4ccd87acf8599c5d2f1eb49ae8.jpg"
	}
}