{
	"id": "d4a08ab4-17d8-4751-865d-2890c056b1f6",
	"created_at": "2026-04-06T00:07:49.544584Z",
	"updated_at": "2026-04-10T03:21:47.996186Z",
	"deleted_at": null,
	"sha1_hash": "76ed351476f33fe02bc90ef3dd32d94fd36f8c8b",
	"title": "OSX/Shlayer: New Mac malware comes out of its shell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 753740,
	"plain_text": "OSX/Shlayer: New Mac malware comes out of its shell\r\nBy Joshua Long\r\nPublished: 2018-02-21 · Archived: 2026-04-05 12:58:57 UTC\r\nMalware + Recommended\r\nPosted on February 21st, 2018 by\r\nOver the weekend, Intego researchers discovered multiple\r\nvariants of new Mac malware, OSX/Shlayer, that leverages a unique technique.\r\nAlthough malware that disguises itself as an update to Adobe Flash Player is nothing new, some of the latest\r\nincarnations of fake Flash Player installers have an unusual method of downloading additional content.\r\nHow are Macs getting infected?\r\nIntego researchers found OSX/Shlayer spreading via BitTorrent file sharing sites, appearing as a fake Flash Player\r\nupdate when a user attempts to select a link to copy a torrent magnet link.\r\nTorrent sites are notorious for distributing malware and adware, sometimes through\r\nmisleading advertisements, and sometimes through Trojan horse downloads that claim to be “cracks” or that may\r\ncontain infected copies of legitimate software (watch our recent interview with Amit Serper or read our\r\narticle Why BitTorrent Sites Are a Malware Cesspool to learn more about the dangers of torrent sites).\r\nEven if you don’t use torrent sites, you may encounter other sites that claim you need to update Flash\r\nPlayer; in most cases, this is actually an attempt to install malware on your computer.\r\nOn some of the malware distribution pages, the fake Flash Player alerts are customized to your browser. If you’re\r\nusing Mozilla Firefox, you may see an upward-facing arrow appear pointing to the browser toolbar that indicates\r\nhttps://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\r\nPage 1 of 6\n\nthat there is a recent download available to open.\r\nIf you’re using Google Chrome, you may see a pop-up message pointing to the bottom-left corner of the browser\r\nwindow where newly available downloads appear. Ironically, Google Chrome has its own built-in version of Flash\r\nPlayer that users don’t need to update manually; it gets updated automatically whenever Google issues an update\r\nfor Chrome itself.\r\nWhat’s unique about OSX/Shlayer?\r\nThe initial Trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell\r\nscripts to download additional malware or adware onto the infected system.\r\nYou can think of shell scripts as a way to execute a series of commands in sequence,\r\nsometimes without requiring any user interaction. They’re sort of like a command-line equivalent of an Automator\r\nor AppleScript app, or the Mac equivalent of a Windows .bat (“batch”) file. Instead of malware having to open up\r\nthe Terminal on your Mac and type commands right before your eyes (which would be a pretty obvious sign of\r\nhttps://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\r\nPage 2 of 6\n\ninfection), malware can secretly execute those commands in the background without the user’s knowledge\r\nby leveraging shell scripts.\r\nMalware that downloads additional malicious or undesirable code is known as a dropper. Intego’s research team\r\nobserved OSX/Shlayer behaving as a dropper and installing OSX/MacOffers (also known as BundleMeUp,\r\nMughthesec, and Adload) or OSX/Bundlore adware as a secondary payload.\r\nThere are three variants of the newly discovered malware, detected by Intego VirusBarrier as OSX/Shlayer.A,\r\nOSX/Shlayer.B, and OSX/Shlayer.C, that differ as follows:\r\nOSX/Shlayer.A uses two code-signed shell scripts\r\nOSX/Shlayer.B uses one code-signed shell script and one unsigned Mach-O app\r\nOSX/Shlayer.C uses one code-signed shell script\r\nCode signing is a process used by both legitimate app developers and malware makers. By adding a cryptographic\r\ndigital signature to Mac software, a developer can enable their apps to more easily bypass Apple’s\r\nGatekeeper protection (which is closely associated with Apple’s XProtect bad download blocker functionality).\r\nSigning an app also provides a direct link between that app and a registered member of the Apple Developer\r\nProgram.\r\nWhat does the malware do if installed?\r\nThe primary goal of OSX/Shlayer is to download and install adware onto an infected Mac.\r\nAlthough “adware” may not sound like a big deal, it can be a lot more harmful than the name implies; be sure to\r\nwatch our aforementioned interview with Amit Serper to learn more about one particular example of malicious\r\nMac adware.\r\nAt least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of\r\nseveral Mac anti-virus products is installed.\r\nHow can Mac users protect themselves from OSX/Shlayer?\r\nhttps://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\r\nPage 3 of 6\n\nTo prevent infection, avoid any “Flash Player” update alerts you may encounter on the Web; in most cases, these\r\nare actually false warnings intended to trick you into downloading and installing malware.\r\nA fake Flash Player alert on a site distributing OSX/Shlayer\r\nIf you use Google’s Chrome browser, it already has a built-in version of Flash Player, so you’ll never need to\r\nobtain a newer version of the plugin from a third party.\r\nIf you use Apple’s Safari browser, or Mozilla Firefox or other third-party Web browsers, you should\r\nbookmark https://get.adobe.com/flashplayer/ and only obtain Flash Player updates via that bookmark—that is, if\r\nyou even need Flash Player in the first place.\r\nIn fact, when you get a new computer the best practice is to avoid installing\r\nFlash Player in the first place. Few legitimate sites require Flash these days, and for the rare site that does, you can\r\nhttps://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\r\nPage 4 of 6\n\nview the site in Google Chrome. Adobe is phasing out support for Flash and will cease updating Flash Player at\r\nthe end of 2020.\r\nIf you accidentally download a fake Flash Player update and it comes as a .dmg (Mac disk image) file, don’t\r\ndouble-click it!  Simply drag it to the Trash, and then from the Finder menu (in the top-left corner of the screen,\r\nnext to the Apple menu) select “Empty Trash…”\r\nSee also our article How to Tell if Adobe Flash Player Update is Valid for additional tips.\r\nUsers of Intego VirusBarrier X9 are already protected from all OSX/Shlayer variants that have been discovered in\r\nthe wild.\r\nWhat can I do if I think my computer is infected?\r\nIf you suspect that your computer might be infected, you can download VirusBarrier\r\nScanner (free) from the Mac App Store to scan your computer for an existing infection.\r\nWe recommend installing antivirus software with real-time scanning protection, such as Intego VirusBarrier\r\nX9 (part of the Mac Premium Bundle X9 utility suite), to help block malware before an infection can occur.\r\nAre there any other indicators of compromise (IOCs)?\r\nWARNING: Do not attempt to connect to the domain names below; doing so may lead to infection!\r\nNetwork administrators can check their organizations’ Web traffic logs for attempts to connect to the following\r\ndomains (or subdomains thereof) on port 80, which may indicate possible infection by either OSX/Shlayer\r\nor similar malware or adware campaigns that leverage the same domains:\r\nyourreliablesite4content(.)bid — registered on Feb 20, 2018\r\nmacfantsy(.)com — registered in Dec 2017\r\nponystudent(.)win — registered in Aug 2017\r\nchildrenlawyer(.)win — registered in Jul 2017\r\nspoonstory(.)win — registered in Jul 2017\r\nmacinstallerinfo(.)com — registered in 2015\r\nmacresourcescdn(.)com — registered in 2015\r\nWho’s behind this malware?\r\nThe variants of OSX/Shlayer discovered to date have been associated with Apple Developer Program accounts\r\nregistered to one of three names: “Harper Natalie,” “Murphy Rachel,” or “Gennadiy Karshin.”\r\nhttps://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\r\nPage 5 of 6\n\nThis does not necessarily mean that individuals by those names are the source of the malware; it’s possible to\r\nregister for an Apple Developer Program account using a false identity. (At least the first two names are likely\r\nfake, given that Natalie and Rachel are typically given names, not surnames.)\r\nMoreover, if a legitimate Apple Developer Program account has been compromised, a third party may exploit that\r\naccount’s code signing capability for malicious purposes.\r\nThe domain names associated with this malware are registered using privacy screens, so little useful information\r\nabout the domain registrants is obtainable via publicly searchable records.\r\nHave something to say about this story? Share your comments below!\r\nAbout Joshua Long\r\nJoshua Long (@theJoshMeister), formerly Intego’s Chief Security Analyst, is a renowned security researcher\r\nand writer, and an award-winning public speaker. Josh has a master’s degree in IT concentrating in Internet\r\nSecurity and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh\r\nfor discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for well over\r\n25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X/Twitter, LinkedIn,\r\nFacebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. — View all posts by\r\nJoshua Long →\r\nSource: https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\r\nhttps://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/"
	],
	"report_names": [
		"osxshlayer-new-mac-malware-comes-out-of-its-shell"
	],
	"threat_actors": [],
	"ts_created_at": 1775434069,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76ed351476f33fe02bc90ef3dd32d94fd36f8c8b.pdf",
		"text": "https://archive.orkl.eu/76ed351476f33fe02bc90ef3dd32d94fd36f8c8b.txt",
		"img": "https://archive.orkl.eu/76ed351476f33fe02bc90ef3dd32d94fd36f8c8b.jpg"
	}
}