Shlayer is a piece of malware that exclusively targets macOS systems. It’s been making the rounds since at least February 2018, primarily by masquerading as an Adobe Flash Player update, although it occasionally mimics other application installers as well.
These fake installers are mostly being delivered by peer-to-peer torrent sites and via malvertising. Once Shlayer infects its host, it attempts to install adware, including “OSX/MacOffers” (aka “AdLord” or “Mugthesec”) and “OSX/Bundlore.”
While a lot has been written about Shlayer, there is a lack of good information about how security teams can remove it from their environments. Shlayer may seem like a relatively straightforward vehicle for delivering adware. However, we’ve learned through experience (and anecdotally from customers) that it can be difficult to remove. Beyond that, Shlayer infections are commonplace in environments with a heavy macOS presence, so it’s safe to assume that many organizations are struggling with Shlayer.
To that point, Shlayer ultimately delivers strains of adware that establish persistence through a variety of different means. Given this, there is no one-size-fits-all guidance for remediation and removal. As such, we’re releasing some information that you can use to detect—and respond accordingly—if Shlayer or any associated adware has gained a foothold in your environment.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.