While it does not boast any special or complex installation tactics, Shlayer’s distribution vector has made it a tremendous success - the malware has been the most prevalent MacOS strain since its debut two years ago, never falling off its leading spot. Shlayer uses a well-known infection tactic – pressing on a bad link directs the victim to a fake Adobe Flash update.

To distribute the malicious links, though, the threat actors behind the malware have taken a more creative (and very effective) approach. The criminals use an affiliate marketing model, paying owners of various websites and YouTube accounts, as well as Wikipedia editors, to display the links on their pages. Since its beginning, Shlayer has worked with more than 1,000 partner sites, and according to Kaspersky, 10% of the machines installed with their software have been affected by Shlayer at least once.

After Shlayer has penetrated the victim’s machine, the malware will download a second-stage adware. Although it has been seen downloading a variety of adware variants, the AdWare.OSX.Cimpli family has starred in a recent campaign. Cimpli tricks the user in to installing a malicious Safari extension called ManagementMark, which monitors the victim’s browsing and traffic. Using this extension, the attackers can also control and change the search results shown to the victim.

So far, adware seems to be Shlayer’s main focus, but the possibilities for this downloader are much greater. With the growth of successful MacOS malware variants in the past few years, it seems that Shlayer is a threat worth watching closely.


If you’re already a ThreatSTOP user, you’re protected against Shlayer in our TS Originated - Core Threats - IPs and TS Originated - Core Threats - Domains targets.


If you’re interested in learning more about how ThreatSTOP protects you against Shlayer and other malware loaders, check us out below. Try us out for 14 days free, request a quick demo or just see what we’re about.

Get a Demo