New Adload malware bypasses Apple’s XProtect to infect macOS devices
Old malware retooled to evade Apple defenses


Security researchers have found a new Adload malware variant targeting Apple devices.
Researchers at Sentinel Labs observed over 150 unique samples as part of a new campaign that remains undetected by Apple’s on-device malware scanner.
The AdLoad malware initially surfaced in 2017 but has evolved over the years to evade detection by Apple’s XProtect security system. In 2019, Apple had some partial protection against its earlier variants, but there were no updates to cover the then-new 2019 variant.
AdLoad is a type of adware that redirects a user’s web traffic through the attacker’s preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.
Researchers said the 2019 and 2021 AdLoad variants used persistence and executable names that followed a consistent pattern. In 2019, that pattern included some combination of the words “Search,” “Result,” and “Daemon,” such as “ElementarySignalSearchDaemon”.
The latest version uses a different pattern that primarily relies on a file extension that is either .system or .service. The file extension used depends on the location of the dropped persistence file and executable as described below. Still, typically .system and .service files will be found on the same infected device if the user gave privileges to the installer.
With or without privileges, AdLoad will install a persistence agent in the user’s Library LaunchAgents folder.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
RELATED RESOURCE
Researchers said they have found around 50 unique label patterns, each having a .service and a .system version. “Based on our previous understanding of AdLoad, we expect there to be many more,” they added.
Further investigations have found more than 150 unique samples in this year’s campaigns. Researchers noted there appears to have been a sharp uptick throughout July and the early weeks of August 2021. Researchers said a single sample of this variant was documented by analysts at Confiant, who described the malware’s string decryption routine.
“It certainly seems possible that the malware developers are taking advantage of the gap in XProtect, which itself has not been updated since a few weeks after Confiant’s research over two months ago. At the time of writing, XProtect was last updated to version 2149 around June 15th – 18th,” researchers said.
“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices,” researchers concluded.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
Why Microsoft thinks diversity will keep security workers relevant in the age of agentic AI
News Improved AI skills and a greater focus on ensuring agents are secure at point of deployment will be key for staying ahead of attackers
By Rory Bathgate
-
Microsoft: get used to working with AI-powered "digital colleagues"
News Tech giant's report suggests we should get ready to work with AI, revealing future trends for the workplace
By Nicole Kobie
-
Common malware slipped past the macOS notarization process twice
News Apple immediately revoked the notarization, but the adware slipped through again
By Justin Cupler
-
Researchers blast Swedish developer WakeNet AB for ‘deceptively’ spreading adware
News Bad actors are using tools like 'embed movie' to coax victims into installing software that house adware
By Keumars Afifi-Sabet
-
Zacinlo malware threatens Windows 10 PCs' security
News Malware takes screenshots of users' desktops, and has been operating silently for six years
By Keumars Afifi-Sabet
-
Lenovo vows to cut bloatware after Superfish
News The company says it will drop adware after its Superfish debacle left customer data at risk
By Clare Hopping
-
Facebook warns of new Superfish threat
News The fake security certificate used by the Lenovo-installed adware can be re-used by hackers, says social network
By Joe Curtis
-
Yahoo serves up New Year malware to European customers
News Malicious adverts infect users’ computers.
By Jane McCallion
-
Malwarebytes flags fake Flash update
News Unusual and inappropriate ads injected into websites.
By Jane McCallion
-
File sharing infects 500,000 computers
News McAfee reveal details on what it calls the most significant malware outbreak since 2005, as peer-to-peer networks look under threat.
By Asavin Wattanajantra