{
	"id": "1aed82cc-73fb-4d78-887f-42c9d6411768",
	"created_at": "2026-04-06T00:07:48.06074Z",
	"updated_at": "2026-04-10T03:20:59.387003Z",
	"deleted_at": null,
	"sha1_hash": "f1c474b335fc6ecff41e4f1d60b1ceed921ead5e",
	"title": "Shlayer malware abusing Gatekeeper bypass on macOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1144699,
	"plain_text": "Shlayer malware abusing Gatekeeper bypass on macOS\r\nBy Jaron Bradley, Stuart Ashenbrenner, Ferdous Saljooki\r\nArchived: 2026-04-05 22:53:46 UTC\r\nApril 26 2021 by\r\nJaron Bradley\r\nStuart Ashenbrenner\r\nFerdous Saljooki\r\nIn a recent blog post, Objective-See covered that prior to macOS 11.3, an attacker could craft a fake application\r\nbundle using a script as the primary executable allowing them to bypass File Quarantine, Gatekeeper and\r\nNotarization on the macOS platform. All of which are technologies in place to prevent unapproved software from\r\nrunning on macOS.\r\nTo make the situation more urgent, the Jamf Protect detections team observed this exploit being used in the wild\r\nby a variant of the Shlayer adware dropper. The variant observed has strong ties to a sample previously written\r\nabout by Intego Security. In fact, both malware samples are nearly identical. The major difference, in this case, is\r\nthat the variant has been repackaged to use a format necessary for carrying out the Gatekeeper bypass\r\nvulnerability. The Jamf Protect detection team identified samples found to be abusing this vulnerability as early as\r\nJanuary 9th, 2021.\r\nThe details behind how the vulnerability can be abused by attackers are:\r\n1. An attacker manually crafts an application bundle by using a script as the main executable.\r\n(example:myapplication.app/Contents/MacOS/myapplication where “myapplication” is a bash script). For\r\nthis to work, the script name must match the application name and they must not create an Info.plist file.\r\n2. The application can then be placed in a dmg for distribution.\r\n3. When the dmg is mounted and the application is double-clicked, the combination of a script-based\r\napplication with no Info.plist file executes without any quarantine, signature or notarization verification.\r\nThis will work on any system running macOS versions 10.15 to 11.2.\r\nPrevious variants of this malware are known to spread via poisoned search engine results - this variant is no\r\nexception. This is an approach where the malicious actors spreading the malware create web pages with content\r\ntailored to appear in search results for common queries or hijack legitimate websites without the knowledge of the\r\nowner. Since most search engines automate the indexing and ranking, this leads to them inadvertently publishing\r\nlinks to the malicious or hijacked sites hosting malware. In a real-world example, users could potentially stumble\r\nupon malware when searching for any commonly used terms. This is an example of a user searching for “Alexa\r\nand Disney” on Google Search in April 2021.\r\nhttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/\r\nPage 1 of 7\n\nScreenshot of Google results when searching “alexa and disney” taken by Jamf on April 12, 2021.\r\nBy clicking on a compromised result, in this case, the highlighted link above, the user is redirected to a new\r\nwebpage asking them to download an unsolicited software application that looks similar to a real alert to update\r\nout-of-date software. This of course is not something specific to Amazon, Disney, or Google, but rather malicious\r\nactors abusing search engine indexing and/or compromising web pages.\r\nhttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/\r\nPage 2 of 7\n\nScreenshot of fake installer taken by Jamf on April 12, 2021. Adobe Flash Player reached End of Life\r\non 12/31/2020\r\nAn older variant of the Shlayer malware would deliver a dmg file that held a system link to a shell script. This\r\nshell script would have an installer logo attached to it, providing to the user the appearance of legitimacy. The\r\nmounted dmg also provided instructions to right-click the file and select “Open”, in an attempt to convince the\r\nuser to install the malicious application. And while executing the file in this manner is allowed by Apple’s design,\r\na consequence of this method allows applications - both trusted and malicious - to be opened while bypassing\r\nGatekeeper’s checks altogether, leading in this instance to infecting the Mac.\r\nhttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/\r\nPage 3 of 7\n\nThe old variant of Shlayer attempting to convince a user to right-click and open the malware.\r\nThis new variant found no longer requires the right-click method since the malware comes packaged in the format\r\nrequired to abuse CVE-2021-30657.\r\nThe new Gatekeeper bypass step-by-step\r\nAfter mounting the dmg and opening the installer, the user is displayed the following application:\r\nIn further investigating of the application’s layout, more detail is revealed.\r\nThe image displayed to the user after mounting the DMG appears to be the “Install” file. In actuality, it is just a\r\nsystem link that points to the 1302.app application bundle, or the malicious application itself. By double-clicking\r\nthe “Install” image in Figure C, the system actually executes the 1302.app, where\r\n1302.app/Contents/MacOS/1302 is just a bash script.\r\nDue to the file path layout in which this script is set up, double-clicking the install icon executes the script held\r\nwithin 1302.app and bypasses the checks performed by Gatekeeper, described in further detail in CVE-2021-\r\n30657.\r\nhttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/\r\nPage 4 of 7\n\nAdditional malware behaviors\r\nAs mentioned previously, the contents of the bash script itself have been seen in variants of this malware before.\r\nThe script begins by invoking the “mktemp -t Installer” command to create a unique filename. In this\r\ncase,“Installer.XXXXXXXX” is created in a temporary directory. The trailing “X’s” in the filename are\r\nautomatically generated using the current process number and/or a letter combination unique to this file instance.\r\nTruncated Output of Bash Script Contained Within 1302.app\r\nIn a clever attempt to mask its presence from detection, the malware hides a zipped executable at the bottom of the\r\nscript itself, as seen above in Figure E.\r\nA secondary command, “tail -c 58853 $0 | funzip -1uD9jgw \u003e ${TEMP_NAME}” performs the following actions:\r\nTail - Take the last 58853 bytes of the running script.\r\nFunzip - Treat those bytes as a zip file and unzip it using the supplied password.\r\n\u003e${TEMP_NAME} - Write the newly unzipped file to the disk at the aforementioned temp file location.\r\nThe unzipped executable file is invoked with the command “nohup,” which instructs the process to ignore any\r\nHUP, or hangup signals. This is often used by attackers to run programs in the background. The final unzipped\r\npayload is a sample of the Bundlore adware, but this final payload may vary across different Shlayer samples.\r\nPatched by Apple\r\nApple has patched this vulnerability in the 11.3 version of macOS. When this same malware is executed on a\r\npatched version of macOS, the user will see a pop-up message stating that the software “cannot be opened because\r\nthe developer cannot be identified.” Since the malicious application is not notarized or signed with a valid\r\ndeveloper’s certificate, the message will prompt the user to eject the mounted DMG containing the app bundle.\r\nhttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/\r\nPage 5 of 7\n\nConclusion\r\nShlayer continues to reintroduce itself with innovative ways to infect macOS-based systems. Jamf Protect\r\nprovides behavioral analytics to detect built-in scripting languages being executed as though they are app bundles.\r\nThis should help users discover malware abusing this technique on Mac computers running macOS versions prior\r\nto 11.3, as well as other suspicious applications. Jamf Protect defends against known malware samples of Shlayer,\r\nincluding the adware variants that it drops. Jamf recommends users “patch fast and patch often” to keep their Mac\r\nup-to-date by upgrading macOS to versions 11.3, which is available now through the Mac App Store and provides\r\nthe latest protection against the vulnerabilities discussed in this article.\r\nIndicators of Compromise\r\nFiles Hashes:\r\nAdobeFlashPlayer.dmg → 55869270ed20956e5c3e5533fb4472e4eb533dc2\r\n1302.app/Contents/MacOS/1302 → 085a136c03f8b024a173068768c67b1a5ad928c1\r\nBundlore Dropped Executable → 20ac95c44549710a434902267394525333e96c0b\r\nDomains Serving Malware:\r\nhxxps://supportversion[.]yourlinkforplaceforupgrading[.]info\r\nAdditional coverage of this and Apple's bug bounty program may be found at The Washington Post.\r\nSubscribe to the Jamf Blog\r\nHave market trends, Apple updates and Jamf news delivered directly to your inbox.\r\nTo learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy\r\nPolicy.\r\nhttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/\r\nPage 6 of 7\n\nSource: https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/\r\nhttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/"
	],
	"report_names": [
		"shlayer-malware-abusing-gatekeeper-bypass-on-macos"
	],
	"threat_actors": [],
	"ts_created_at": 1775434068,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1c474b335fc6ecff41e4f1d60b1ceed921ead5e.pdf",
		"text": "https://archive.orkl.eu/f1c474b335fc6ecff41e4f1d60b1ceed921ead5e.txt",
		"img": "https://archive.orkl.eu/f1c474b335fc6ecff41e4f1d60b1ceed921ead5e.jpg"
	}
}