{
	"id": "c639fac1-9bbf-41a9-acc2-4957ac1487c3",
	"created_at": "2026-04-06T00:11:22.368731Z",
	"updated_at": "2026-04-10T13:11:39.579694Z",
	"deleted_at": null,
	"sha1_hash": "9b1b34c86d2f929c2b8e428c5661268be1254ae8",
	"title": "Shlayer Malware: Continued Use of Flash Updates | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 914250,
	"plain_text": "Shlayer Malware: Continued Use of Flash Updates | CrowdStrike\r\nBy Aspen Lindblom - Joseph Goodwin - Chris Sheldon\r\nArchived: 2026-04-05 16:05:40 UTC\r\nMalvertising campaigns delivering Shlayer malware for macOS are still ongoing, despite the patching of a critical\r\nzero-day vulnerability (CVE-2021-30657) abused for months to compromise victims by dodging built-in OS\r\nprotections such as Gatekeeper and also bypassing File Quarantine and Application Notarization. Recent Shlayer\r\nmalvertising campaigns have gone back to using fake Flash updates and social engineering tactics to trick victims\r\ninto manually installing the macOS malware and compromising their systems. Although Flash Player reached end\r\nof life for macOS as of Dec. 31, 2020, this has not stopped Shlayer operators from continuing to abuse it. Shlayer\r\noperators may not be using a zero-day vulnerability anymore, but they’re still resourceful.\r\nMalvertising and How It Works\r\nAs the internet has grown, so have the avenues it can be used to abuse end users. Websites now exist whose sole\r\npurpose is to redirect the end user to advertisements. Attackers have taken advantage of this by aggressively\r\nredirecting users to malicious content. Although these domains are often taken down very quickly, some attackers\r\nhave found ways to stay under the radar by serving both legitimate and malicious advertisements, also known as\r\nmalvertisements. In these cases, the attacker can decide whether you are redirected to malicious or non-malicious\r\nsites depending on a few factors such as your user-agents, IP address and whether this is your first visit to the site.\r\nYour user-agent is a way of identifying the browser, browser version and operating system. This allows the web\r\nserver to render the site differently based on the browser and operating system you are using. For example, if\r\nyou’re on macOS using Chrome you could be sent to non-malicious websites associated with the attacker’s ad\r\nnetwork, further generating ad revenue by falsely clicking on ad links through redirects. However, if you visit the\r\nsame initial domain on a different browser (e.g., Safari) you will be redirected to the malicious website. In most\r\ncases, after the initial visit to the malicious domain, any additional visits will redirect to a parked domain. Domain\r\nparking allows for monetization to occur while the domain is “under construction,” giving the domain owner the\r\nability to display links from ad affiliates. These schemes range from attempting to trick you into calling\r\n“Technical Support” to remove a virus to tricking you into installing “Adobe Flash Player” after it “detects” that\r\nyour machine is running an out-of-date version.\r\nMeet the macOS Shlayer\r\nShlayer, discovered in 2018, is constantly maintained and also evolving. The graph below is representative of\r\nShlayer continually being a go-to piece of malware that attackers use to compromise the victim's machine. We\r\nobserved an uptick in Shlayer detections occurring before the release of CVE-2021-30657 (the Gatekeeper\r\nbypass) that was being exploited by Shlayer. This vulnerability was subsequently patched on April 26, 2021.\r\nHowever, even without exploiting a zero-day, the data suggests that Shlayer is still a popular tool used to infect a\r\nmachine. Although our telemetry registered a drop in detections after the vulnerability was addressed, Shlayer\r\nhttps://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nPage 1 of 8\n\noperators resumed their campaigns days after, driving home the fact that it continues to evolve and it is constantly\r\nmaintained.\r\nFigure 1. Shlayer detections, April-June 2021\r\nThe largest number of Shlayer detections started in the second half of April 2021, with peaks on April 13, April 15\r\nand April 21, coinciding with Shlayer using the CVE-2021-30657 vulnerability. The release of a patch for CVE-2021-30657 led to an immediate drop in Shlayer detections. However, in less than one month, Shlayer operators\r\nquickly adapted to overcome the patch addressing the exploited vulnerability and have gone back to old habits\r\n(fake Flash updates and social engineering tactics). The most common method of Shlayer’s distribution is through\r\nmalvertisements that redirect Safari users to sites displaying an alert about an out-of-date Adobe Flash Player. An\r\nexample of a recent and ongoing malvertising campaign involves approvedfornext\u003c.\u003ecom , which redirects\r\nSafari users to a site that displays this out-of-date Adobe Flash Player alert (see below).\r\nhttps://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nPage 2 of 8\n\nFigure 2. Fake Adobe Flash Player update popup\r\nOnce the user clicks on this fake software update popup, Shlayer is then downloaded and mounted on the victim's\r\nmachine. However, it still needs to be installed, which is where the attacker relies on the user's inability to spot the\r\nthreat by leveraging social engineering tactics. To help increase the chances that the user will install this on the\r\nmachine, the .dmg file displays easy-to-follow, step-by-step instructions on how they can do this, as shown in the\r\nimage below.\r\nhttps://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nPage 3 of 8\n\nFigure 3. Social engineering the user into installing Shlayer\r\nThis is actually an image file that is hidden in the .dmg, and the Install icon is an alias. The image attempts to hide\r\nthat from the unsuspecting user, but taking a peek under the hood will reveal this information.\r\nFigure 4. Using “ls -la” command to display hidden files and folders in the .dmg\r\nThe Install alias is pointing to Install.command , a script located in a hidden folder conveniently named .hidden.\r\nInstall.command will execute as the user follows the instructions. To understand what occurs during the\r\ninstallation, the contents of the .hidden folder and Install.command files will need to be reviewed. The contents\r\nof this .hidden folder can be seen below.\r\nhttps://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nPage 4 of 8\n\nFigure 5. Using “ls -la” command to display files in the .hidden folder\r\nThere is another file in the .hidden folder. Looking at the script provides clues as to what will happen next.\r\nFigure 6. Contents of Install.command script\r\nThe script contains a simple substitution cipher with Base64 encoding and AES encryption. Breaking down the\r\nscript will make it easier to understand what actions will be performed by the script:\r\nThe first line of the script initializes and assigns letters to 10 variables that will be used by the substitution\r\ncipher to decode part of the command seen in the decryptedFommand variable and nohup command.\r\nThe appDir variable will be set to /Volumes/Install/.hidden.\r\nThe tmpDir variable will be set to the temporary directory in /tmp created by mktemp -d.\r\nThe binFile variable will be set to the name of the only other file located in the .hidden directory,\r\nuaQf9bkKsOGo , but will be reversed to oGOsKkb9fQau .\r\nThe archive variable will be set to uaQf9bkKsOGo .\r\nhttps://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nPage 5 of 8\n\nThe commandArgs variable contains a Base64-encoded and AES-encrypted command.\r\ndecryptedFommand will echo commandArgs and pipe it to openssl in order to decode and decrypt the\r\ncommand. The decrypted command will be:\r\nFigure 7. decryptedFommand decrypted\r\nThe decrypted command is then passed to nohup , a utility that will invoke a command immune to hangup\r\nsignals, with a substitution cipher that decodes to the following:\r\nFigure 8. Nohup decrypted\r\nThis will allow the decrypted command to continue to run until it is completed, even if the user logs off. Breaking\r\ndown the command, it will decode and decrypt uaQf9bkKsOGo , saving it the temporary directory created in\r\n/tmp as oGOsKkb9fQau . The \" xattr -c ” command will clear all extended attribute flags from the temporary\r\ndirectory, including the com.apple.quarantine flag that is added to all downloaded files. Clearing the quarantine\r\nflag allows the file to avoid notarization and Gatekeeper. The chmod command will grant read, write and execute\r\npermissions to the file, followed by the file getting executed and the temporary folder getting deleted. Lastly, the\r\nInstall.command script will terminate all running Terminal processes. The file dropped from Shlayer’s\r\nInstall.command script, oGOsKkb9fQau , is a Mach-O executable file known as Bundlore — adware that,\r\namongst other things, will drop more adware families on the infected machine affecting your device’s\r\nperformance and security.\r\nFalcon Coverage\r\nThe CrowdStrike Falcon® sensor takes a layered approach to detect Shlayer using machine learning (ML) and\r\nbehavioral-based detections (i.e., indicators of attack, or IOAs) to protect customer endpoints. Here are the\r\nrecommend prevention policies that offer protection against Shlayer:\r\nEnhanced Visibility: Script-Based Execution Monitoring\r\nCloud Machine Learning\r\nSensor Machine Learning\r\nQuarantine\r\nExecution Blocking: Suspicious Processes\r\nExecution Blocking: Intelligence-Sourced Threats\r\nhttps://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nPage 6 of 8\n\nIOCs\r\nIndicator\r\nType\r\nValue Description\r\nDOMAIN\r\napprovedfornext\u003c.\u003ecom sports-stream\u003c.\u003enet syncuber-bestadvancedfile\u003c.\u003ebest loadgreatlynewestthefile\u003c.\u003evip\r\nloadgreatlyprogressivethefile\u003c.\u003evip\r\nloadgreatlyoriginalthefile\u003c.\u003evip\r\nloadprogressivegreatlythefile\u003c.\u003evip\r\nloadgreatlyrenewedthefile\u003c.\u003evip loadfree-bestheavilyfile\u003c.\u003ebest boot-upuber-bestfreefile\u003c.\u003ebest boot-upcompletely-bestprecisefile\u003c.\u003ebest bestp-upuber-bestfreefile\u003c.\u003ebest boot-upfree-bestuberfile\u003c.\u003ebest boot-upcompletely-bestsophisticatedfile\u003c.\u003ebest\r\nDomains seen in\r\nmalvertisement\r\ncampaigns\r\ndistributing\r\nShlayer\r\nSHA256 9ceea14642a1fa4bc5df189311a9e01303e397531a76554b4d975301c0b0e5c8 Install.dmg\r\nSHA256 ea86178a3c0941fd6c421c69f3bb0043b768f68ed84ecb881ae770d7fb8e24ed\r\nInstall.command\r\nscript\r\nSHA256 f3400c0a90d0abdff49cfe61804eb0ca80325bf84bbce4dc6e2796843ccebb0f\r\nuaQf9bkKsOGo ;\r\nEncrypted\r\nBundlore\r\nexecutable\r\nSHA256 bb947b2d55580e9e4593957a58163049b0f27313ba5df363801698fadde63426\r\noGOsKkb9fQau ;\r\nDecrypted\r\nBundlore\r\nexecutable\r\nMITRE ATT\u0026CK Framework\r\nThe following table maps reported Shlayer and Bundlore TTPs to the MITRE ATT\u0026CK® framework.\r\nTactic Technique Description\r\nInitial\r\nAccess\r\nPhishing (T1566)\r\nShlayer uses social engineering to trick users\r\ninto running the installer.\r\nInitial\r\nAccess\r\nHidden Files and Directories\r\n(T1564.001)\r\nShlayer installer contains hidden files and\r\nfolders.\r\nInitial\r\nAccess\r\nUser Execution: Malicious File\r\n(T1204.002)\r\nShlayer relies on users mounting and executing\r\na malicious .dmg file.\r\nhttps://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nPage 7 of 8\n\nExecution\r\nHide Artifacts: Hidden Files and\r\nDirectories (T1059.004)\r\nShlayer executes a Bash script located in a\r\nhidden folder that contains a hidden binary file.\r\nDefense\r\nEvasion\r\nMasquerading: Match Legitimate Name\r\nor Location (T1036.005)\r\nShlayer masquerades as Adobe Flash installer.\r\nDeobfuscate/Decode Files or\r\nInformation (T1140)\r\nShlayer uses Base64 and AES to decrypt and\r\ndecode payloads to /tmp folder.\r\nFile and Directory Permissions\r\nModification (T1222.002)\r\nShlayer uses chmod and xattr to change file\r\nand folder permissions.\r\nSubvert Trust Controls: Gatekeeper\r\nBypass (T1553.001)\r\nNewer variants of Shlayer exploit CVE to\r\nbypass Gatekeeper.\r\nAdditional Resources\r\nSee how the powerful, cloud-native CrowdStrike Falcon® platform protects customers from DarkSide and\r\nREvil ransomware in these blogs: DarkSide Goes Dark: How CrowdStrike Falcon® Customers Were\r\nProtected and How CrowdStrike Falcon® Stops REvil Ransomware Used in the Kaseya Attack.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nhttps://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/"
	],
	"report_names": [
		"shlayer-malvertising-campaigns-still-using-flash-update-disguise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434282,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b1b34c86d2f929c2b8e428c5661268be1254ae8.pdf",
		"text": "https://archive.orkl.eu/9b1b34c86d2f929c2b8e428c5661268be1254ae8.txt",
		"img": "https://archive.orkl.eu/9b1b34c86d2f929c2b8e428c5661268be1254ae8.jpg"
	}
}