Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Threat Research Knowledge Base Threats Adload
Adload
Description
Adload is a family of adware that infects macOS systems by masquerading as legitimate software requesting user permissions. Once installed, Adload directs users to unwanted ads, changes browser settings, and can significantly slow the performance of your computer. In addition to this, Adload puts your privacy at risk by tracking your online activity and installing other harmful programs without user permissions. Adload is sometimes dropped by macOS malware Shlayer.
Variant Names
- AdAgent
- MacNist
- Multiverse
- SearchProxy
- Synataeb
- Vigram
Alternative Names
- ResultSync
- Climpi
- WizardUpdate
- Rload
- Lador
Country of origin
Unknown
Symptoms
You might observe the following to be associated with this threat:
- Unexpected advertisements appearing on websites where they previously did not.
- Browser redirects leading to unfamiliar or unwanted webpages.
- Decreased system performance and increased resource usage.
- New, unfamiliar applications or browser extensions installed without your consent.
- Detections of another threat, Trojan: macOS/Shlayer, which is known to drop this threat.
Technical Breakdown
Adload is distributed through applications that pose as legitimate software. Upon execution, the malware may create LaunchAgents or LaunchDaemons to maintain persistence, ensuring the malware runs at every system startup.
Recent variants of Adload have demonstrated the following behaviors:
- Bypassing Security Measures: Many versions of Adload attempt to disable macOS's Gatekeeper protection, allowing the installation of unsigned applications.
- Payload Delivery: Adload often serves as a delivery mechanism for additional adware or potentially unwanted applications (PUAs), further compromising system integrity.
- Data Collection: Adload also collects personal data and browsing history which can then be sold to third parties.
Notably, certain versions of Adload written in Python have exhibited low detection rates among antivirus engines, indicating ongoing efforts by its developers to evade security software by integrating new techniques.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.
Related
Bundlore is an extremely prevalent adware that targets macOS systems by bundling unwanted applications with legitimate software installers. It often masquerades as popular software updaters and installers, deceiving users into installing additional unwanted programs. Once installed, Bundlore injects advertisements into web browsers, redirects user searches, and collects sensitive browsing data. Bundlore is sometimes dropped by macOS malware Shlayer.
Cuckoo is an info stealer that typically masquerades as macOS applications such as Homebrew and Google Chrome. Discovered by Kandji in 2024, it has been known to steal passwords, as well as recording audio and video from an infected system.
Shlayer is a Trojan downloader that primarily targets macOS systems, known for distributing various types of adware, including Bundlore. It is distributed through fake Flash Player updates and deceptive websites, tricking users into installing unwanted software. Once executed, Shlayer connects to command-and-control servers to download additional payloads.
Manage and secure your Apple devices at scale.
