{ "id": "8fceeb73-38da-41ed-921c-abab395f2d01", "created_at": "2026-04-06T00:16:43.591122Z", "updated_at": "2026-04-10T13:11:52.157735Z", "deleted_at": null, "sha1_hash": "c939fc8116edd4a1b56a001b6d363ad868ae5081", "title": "Shlayer Trojan attacks one in ten macOS users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2662583, "plain_text": "Shlayer Trojan attacks one in ten macOS users\r\nBy Anton V. Ivanov\r\nPublished: 2020-01-23 · Archived: 2026-04-05 23:40:53 UTC\r\nFor close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019,\r\none in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of\r\nall detections for this OS. The first specimens of this family fell into our hands back in February 2018, and we\r\nhave since collected almost 32,000 different malicious samples of the Trojan and identified 143 C\u0026C server\r\ndomains.\r\nTOP 10 threats for macOS by share of users attacked, as detected by Kaspersky security solutions for macOS,\r\nJanuary– November 2019 (download)\r\nThe operation algorithm has changed little since Shlayer was first discovered, nor has its activity decreased much:\r\nthe number of detections remains at the same level as in the first months after the malware was uncovered.\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 1 of 16\n\nShlayer malware detections by Kaspersky security solutions for macOS, February 2018 – November 2019\r\n(download)\r\nTechnical details\r\nDespite its prevalence, from a technical viewpoint Shlayer is a rather ordinary piece of malware. Of all its\r\nmodifications, only the recent Trojan-Downloader.OSX.Shlayer.e stands apart. Unlike its Bash-based cousins, this\r\nvariant of the malware is written in Python, and its operation algorithm is also somewhat different. Let’s\r\ndemonstrate this using a DMG file with MD5 4d86ae25913374cfcb80a8d798b9016e.\r\nFirst stage of infection\r\nAfter mounting this DMG image, the user is prompted to run an “installation” file. However, the seemingly\r\nstandard installer turns out to be a Python script, which is already atypical of macOS installation software.\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 2 of 16\n\nShlayer user guide\r\nThe directory with executable files inside the application package contains two Python scripts:\r\ngjpWvvuUD847DzQPyBI (main) and goQWAJdbnuv6 (auxiliary). The latter implements data encryption\r\nfunctions by means of a byte shift on the key key:\r\nThe encryptText/decryptText pair of functions encrypt and decrypt strings;\r\nencryptList encrypts the contents of the list passed in the arguments; decryptList performs the inverse\r\noperation;\r\nThe getKey() function generates an encryption key based on the time in the operating system.\r\nMain script of the Trojan\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 3 of 16\n\nAuxiliary script of the Trojan\r\nNext, the main script generates a unique user and system ID, and also collects information about the version of\r\nmacOS in use. Based on this data, the GET query parameters are generated to download the ZIP file:\r\nThe ZIP archive downloaded to the /tmp/%(sessionID) directory is unpacked to the /tmp/tmp directory using the\r\nunzip function:\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 4 of 16\n\nThe ZIP archive was found to contain an application package with the executable file 84cd5bba3870:\r\nAfter unpacking the archive, the main python script uses the chmod tool to assign the file 84cd5bba3870\r\npermission to run in the system:\r\nFor added effect, the sample copies the icon of the original mounted DMG image to the directory with the newly\r\ndownloaded application package using the moveIcon and findVolumePath functions:\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 5 of 16\n\nAfter that, the Trojan runs the downloaded and unpacked application package using the built-in open tool, and\r\ndeletes the downloaded archive and its unpacked contents:\r\nSecond stage of infection\r\nShlayer itself performs only the initial stage of the attack — it penetrates the system, loads the main payload, and\r\nruns it. The negative consequences for the user can be seen by investigating the AdWare.OSX.Cimpli family,\r\nwhich was being actively downloaded by the Trojan at the time of writing.\r\nAt first glance, the Cimpli installer looks harmless enough, simply offering to install a partner application (for\r\nexample, Any Search):\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 6 of 16\n\nBut in actual fact, Cimpli performs several actions unseen by the user. First, it installs a malicious extension in\r\nSafari, hiding the OS security notification behind a malware fake window. By clicking on the buttons in the\r\nnotification, the user in effect agrees to install the extension.\r\nLeft: what the user sees; right: what’s really going on\r\nOne of these extensions is called ManagementMark, which we detect as not-a-virus:HEUR:AdWare.Script.SearchExt.gen. It monitors user searches and redirects them to the address\r\nhxxp://lkysearchex41343-a.akamaihd[.]net/as?q=c by injecting the script script.js in the browser pages:\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 7 of 16\n\nThe sample also loads the mitmdump tool, which is packed using PyInstaller. To allow mitmdump to view\r\nHTTPS traffic, a special trusted certificate is added to the system. This is likewise done by superimposing a fake\r\nwindow over the installation confirmation box. After that, all user traffic is redirected to the SOCKS5 proxy\r\nlaunched using mitmdump.\r\nArguments for running the packed mitmdump run arguments\r\nFrom the screenshot, it can be seen that all traffic passing through mitmdump (SearchSkilledData) is processed\r\nby the script SearchSkilledData.py (-s option):\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 8 of 16\n\nThis script redirects all user search queries to hxxp://lkysearchds3822-a.akamaihd[.]net. Kaspersky solutions\r\ndetect this script as not-a-virus:AdWare.Python.CimpliAds.a.\r\nCimpli adware thus becomes firmly anchored in the system; in the event that traffic does not pass through the\r\nproxy server, the JS code of the extension injected in the page handles the redirection of queries. The attacker\r\ngains access to the user’s search queries and can modify the search engine results to display advertising. As a\r\nresult, the user is inundated with unsolicited ads.\r\nNote that Cimpli is not the only family of adware apps that Shlayer can download. The list also includes\r\nAdWare.OSX.Bnodlero, AdWare.OSX.Geonei, and AdWare.OSX.Pirrit, which made up almost all the remaining\r\npositions in the Top 10 threats for macOS in 2019.\r\nFamily ties\r\nThe behavioral similarities between the Python version of Shlayer and earlier modifications of the family written\r\nin Bash are not hard to spot: harvesting IDs and system versions, downloading an archive to a temporary directory,\r\nexecuting the downloaded file, deleting traces of downloading — we’ve seen this course of actions before.\r\nMoreover, both modifications use curl with the combination of options -f0L, which is basically the calling card of\r\nthe entire family:\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 9 of 16\n\nTop: an old modification of the Trojan; bottom: the latest version\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 10 of 16\n\nFinding legitimate use for curl with options –f0L is not an easy task\r\nDistribution\r\nDistribution is a vital part of any malware’s life cycle, and the creators of Shlayer have taken this issue to heart.\r\nLooking for the latest episode of your favorite TV show? Want to watch a live broadcast of a soccer match? Then\r\ntake extra care, since the chances of a run-in with Shlayer are high.\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 11 of 16\n\nExamples of Shlayer landing pages\r\nWe noticed at once several file partner programs in which Shlayer was offered as a monetization tool. Having\r\nanalyzed various offers, we identified a general trend: Shlayer stands out from the field for the relatively high\r\ninstallation fee (though only installations performed by U.S.-based users count). The prospect of a juicy profit\r\nlikely contributed to the popularity of the offer (we counted more than 1000 partner sites distributing Shlayer).\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 12 of 16\n\nDescription of the offer on a partner program website\r\nIn most cases, it was advertising landing pages that brought users to the next stage of the distribution chain —\r\nnicely crafted fake pages prompting to install the malware under the veil of a Flash Player update. This is\r\nprimarily how the Trojan-Downloader.OSX.Shlayer.a modification was distributed.\r\nFake Flash Player download page\r\nThe version of Trojan-Downloader.OSX.Shlayer.e discussed above was propagated in a slightly different way.\r\nSimilar to the previous scheme, users ended up on a page seemingly offering an Adobe Flash update. But they\r\nwere redirected there from large online services boasting a multimillion-dollar audience. Time and again, we have\r\nuncovered links pointing to malware downloads in the descriptions of YouTube videos:\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 13 of 16\n\nAnother example is links to Shlayer distribution pages contained in the footnotes to Wikipedia articles:\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 14 of 16\n\nThese links were not added by the cybercriminals themselves: we found that all those malicious domains had\r\nrecently expired, and, judging by the WHOIS data, they now belong to a single individual. On the websites, the\r\nnewly minted owner posted a malicious script that redirects users to Shlayer download landing pages. There are\r\nalready over 700 such domains in total.\r\nOur statistics show that the majority of Shlayer attacks are against users in the U.S. (31%), followed by Germany\r\n(14%), France (10%), and the UK (10%). This is wholly consistent with the terms and conditions of partner\r\nprograms that deliver the malware, and with the fact that almost all sites with fake Flash Player download pages\r\nhad English-language content.\r\nGeographic distribution of users attacked by the Shlayer Trojan, February 2018 – October 2019 (download)\r\nConclusion\r\nHaving studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for\r\ncybercriminals. The Trojan links even reside on legitimate resources — attackers are adept in the art of social\r\nengineering, and it is hard to predict how sophisticated the next deception technique will be.\r\nKaspersky solutions detect Shlayer and its artifacts and download pages with the following verdicts:\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 15 of 16\n\nHEUR:Trojan-Downloader.OSX.Shlayer.*\r\nnot-a-virus:HEUR:AdWare.OSX.Cimpli.*\r\nnot-a-virus:AdWare.Script.SearchExt.*\r\nnot-a-virus:AdWare.Python.CimpliAds.*\r\nnot-a-virus:HEUR:AdWare.Script.MacGenerator.gen\r\nIOCS:\r\n4d86ae25913374cfcb80a8d798b9016e\r\nfa124ed3905a9075517f497531779f92\r\n594aa050742406db04a8e07b5d247cdd\r\nMalicious links:\r\nhxxp://80.82.77.84/.dmg\r\nhxxp://sci-hub[.]tv\r\nhxxp://kodak-world[.]com\r\nC\u0026C Urls:\r\nhxxp://api.typicalarchive[.]com\r\nhxxp://api.entrycache[.]com\r\nhxxp://api.macsmoments[.]com\r\nSource: https://securelist.com/shlayer-for-macos/95724/\r\nhttps://securelist.com/shlayer-for-macos/95724/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/shlayer-for-macos/95724/" ], "report_names": [ "95724" ], "threat_actors": [], "ts_created_at": 1775434603, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c939fc8116edd4a1b56a001b6d363ad868ae5081.pdf", "text": "https://archive.orkl.eu/c939fc8116edd4a1b56a001b6d363ad868ae5081.txt", "img": "https://archive.orkl.eu/c939fc8116edd4a1b56a001b6d363ad868ae5081.jpg" } }