Skip Navigation
Get a Demo
Resources Blog Threat detection

Shutting Down OSX/Shlayer

Tony Lambert
Originally published . Last modified .

Shlayer is a piece of malware that exclusively targets macOS systems. It’s been making the rounds since at least February 2018, primarily by masquerading as an Adobe Flash Player update, although it occasionally mimics other application installers as well.

These fake installers are mostly being delivered by peer-to-peer torrent sites and via malvertising. Once Shlayer infects its host, it attempts to install adware, including “OSX/MacOffers” (aka “AdLord” or “Mugthesec”) and “OSX/Bundlore.”

Mitigation Techniques

While a lot has been written about Shlayer, there is a lack of good information about how security teams can remove it from their environments. Shlayer may seem like a relatively straightforward vehicle for delivering adware. However, we’ve learned through experience (and anecdotally from customers) that it can be difficult to remove. Beyond that, Shlayer infections are commonplace in environments with a heavy macOS presence, so it’s safe to assume that many organizations are struggling with Shlayer.

To that point, Shlayer ultimately delivers strains of adware that establish persistence through a variety of different means. Given this, there is no one-size-fits-all guidance for remediation and removal. As such, we’re releasing some information that you can use to detect—and respond accordingly—if Shlayer or any associated adware has gained a foothold in your environment.


How adversaries use Entra ID service principals in business email compromise schemes


MSIX and other tricks: How to detect malicious installer packages


The detection engineer’s guide to Linux


The Trainman’s Guide to overlooked entry points in Microsoft Azure

Subscribe to our blog

Back to Top