![\"Mac](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/02\/Mac-macOS-OSX-malware-on-iMac-ghostly-figure-with-python-600x350-1.jpg\")
<\/p>\n<\/p>\n
For the past couple years, there has been a plethora of discussion around stealer malware that infects Macs<\/a>. But other malware families, and categories of malware including potentially unwanted apps (PUA), remain common on Macs, too. Take, for example, the OSX\/Adload<\/strong> adware.<\/p>\n We’ve been discussing Adload on The Mac Security Blog for close to a decade, and it still hasn’t gone away. Over the past week, our researchers have been taking another look at some recent Adload samples. Here’s what we’ve discovered.<\/p>\n In this article:<\/em><\/p>\n Historically, Adload adware has been distributed via Trojan horses. For example, it used to masquerade as Flash Player installers<\/a>. Later, UpdateAgent and its successor WizardAgent<\/a> distributed Adload as an additional payload. (See all articles mentioning Adload<\/a>.)<\/p>\n While examining recent variants of OSX\/Adload, we observed that most compiled Mach-O (native Mac executable app) files typically have a detection rate of roughly between one-third to one-half of the antivirus engines on VirusTotal, a multi-engine file scanning site. This is a fairly common detection rate for Mac malware in general. Recent Adload samples are typically self-signed with an ad-hoc signature.<\/p>\n But when assessing Adload’s decompiled Python code, we noticed that none of the 60+ engines on VirusTotal detected the decompiled Adload Python sample<\/strong> (see the Furthermore, only one of the 96 domain reputation tools that VirusTotal uses<\/strong> detects the infection vector site’s domain ( This suggests that, with little effort from the adware’s developers or distributors, OSX\/Adload may be able to infect many Macs\u2014potentially even if they have certain popular third-party antivirus software installed.<\/p>\n That underscores the need for users to remain vigilant when downloading apps online; even clicking on links in Google results often leads to malware<\/a>. Using a trusted, Mac-focused anti-malware suite\u2014like Intego’s Mac Premium Bundle, which includes VirusBarrier\u2014is also an essential part of keeping your Mac safe from harmful files and potentially dangerous software.<\/a><\/p>\n If you use Intego VirusBarrier, you’re already protected from this adware. Intego detects these samples as OSX\/Adload.ext<\/strong> and Python\/Adload<\/strong>.<\/p>\n If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sequoia.<\/p>\n One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch<\/a> in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.<\/p>\n If you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from malware.<\/a><\/p>\n Following are SHA-256 hashes of adware samples related to this OSX\/Adload campaign:<\/p>\n This adware campaign has leveraged the following domain as an infection vector:<\/p>\n Network administrators can check logs to try to identify whether any computers may have attempted to contact the subdomain above, or its parent domain, which could indicate a possible infection.<\/a><\/p>\n Other antivirus vendors’ names for this Adload adware may include variations similar to the following:<\/p>\n A Variant Of OSX\/TrojanDownloader.Adload.AE, AdLoad (PUA), Adloadr (PUA), Adware:MacOS\/Adload.D!MTB, Adware:MacOS\/Multiverze, Adware.ADWARE\/AVA.Agent.rhafu, Adware.ADWARE\/OSX.AVI.Adload.rajvu, Adware.MAC.AdLoad.AQF (B), Adware.MAC.Agent.BG (B), Adware.Mac.Cimpli.10, Adware.OSX.Adload.2!c, Adware.OSX.Agent.2!c, Adware.OSX.Cimpli.2!c, Adware\/Adload!OSX, ADWARE\/AVA.Agent.rhafu, Adware\/Cimpli!OSX, Adware\/OSX.Adload.d, ADWARE\/OSX.AVI.Adload.rajvu, Downloader.AdLoad\/OSX!1.D942 (CLASSIC), Gen:Variant.Adware.MAC.Adload.15 (B), Gen:Variant.Adware.MAC.Lador.1 (B), Gen:Variant.Application.MAC.Adload.8 (B), HEUR:Trojan-Downloader.OSX.AdLoad.gen, HEUR:Trojan-Downloader.OSX.Agent.ab, HEUR:Trojan-Downloader.OSX.Lador.a, HEUR:Trojan-Downloader.Python.Agent.af, HEUR:Trojan-Dropper.OSX.Agent.s, Linux.Siggen.5031, Mac.DownLoad.11, Mac.Trojan.AdLoad.4, Macho.adware.adload, Macho.downloader.adload, Macho.trojan.adload, Macho.unknown.adload, MacOffers, macOS:Adload-AM [Trj], MacOS:Adload-AX [Adw], MacOS:Adload-CV [Drp], MacOS:Agent-AHI [Trj], MacOS:Agent-MX [Trj], MacOS:Agent-PP [Adw], MacOS:Downloader-BS [Drp], MacOS\/Adload.A.gen!Camelot, MacOS\/Agent.A.gen!Camelot, MacOS\/Agent.B.gen!Camelot, Malware.OSX\/Adload.jleie, Malware.OSX\/Agent.ipwvv, Malware.OSX\/AVI.Adload.avslq, Malware.OSX\/AVI.Agent.gczrk, Malware.OSX\/AVI.Downloader.beswh, Malware.OSX\/Dldr.Adload.ergvp, Malware.OSX\/GM.Adload.OC, Malware.OSX\/GM.Agent.TR, Malware.OSX\/GM.Downloader.TM, MaxOfferDeal, Mughthesec (PUA), Not-a-virus:HEUR:AdWare.OSX.Agent.al, OSX.AdLoad!g1, Osx.Adware.Adload-9885354-2, Osx.AdWare.Agent.Hajl, Osx.Trojan-Downloader.Adload.Anhl, Osx.Trojan-Downloader.Agent.Hjgl, Osx.Trojan-Downloader.Lador.Wimw, Osx.Trojan.Adload.Fflw, Osx.Trojan.Agent.Qwhl, Osx.Trojan.Dldr.Bujl, Osx.Trojan.Gm.Rqil, OSX\/Adload.AX!tr.dldr, OSX\/Agent.BQ!tr, OSX\/Dldr.Adload.pgzct, OSX\/Dwnldr-AASO, OSX\/TrojanDownloader.Adload.AK, Password-Stealer ( 0040f4f11 ), Python:Downloader-AJ [Drp], RDN\/Generic.osx, Static AI – Malicious Mach-O, Static AI – Suspicious Mach-O, Trojan-Downloader.OSX.Adload, Trojan-Downloader.OSX.Agent.ad, Trojan:MacOS\/Lador.B!MTB, Trojan:MacOS\/Multiverze, Trojan.Adware.MAC.Adload.22, Trojan.Adware.MAC.Lador.1, Trojan.Application.MAC.Adload.8, Trojan.MAC.Adload.AM (B), Trojan.OSX.Adload.4!c, Trojan.OSX.Agent.4!c, Trojan.OSX.Lador.a!c, Trojan[downloader]:MacOS\/Adload.AH, TrojanDownloader:MacOS\/Adload.B!MTB, TrojanDownloader:MacOS\/SAgnt.C!MTB, TrojanDropper:MacOS\/Lador.K!MTB, Unix.Malware.Lador-9884300-0, Unix.Malware.Macos-9882334-0, Win32.Trojan-Downloader.Agent.Edhl<\/span><\/a><\/p>\n Be sure to also check out our 2025 Apple malware forecast<\/a> and our previous Mac malware articles<\/a> from 2025 and earlier.<\/p>\n You can also subscribe to our e-mail newsletter<\/strong><\/a> and keep an eye here on The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Intego\u2019s malware research team has taken a closer look at OSX\/Adload adware samples, and found that decompiled Python scripts seem to be undetected by most antivirus vendors.<\/p>\n","protected":false},"author":14,"featured_media":103113,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[86,4625],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\t\n\t\n\t\n\n
What’s new with OSX\/Adload?<\/h3>\n
6eb4433f\u2026<\/code> file in the IOCs section<\/a> below). To be clear, that doesn’t necessarily mean that all<\/em> other antivirus products, when actively running on end-user systems, won’t detect the malicious code upon execution; but it does imply that, at least as configured per vendor requests, VirusTotal’s implementation of those engines doesn’t detect the static file.<\/p>\nm.advancedsprint[.]com<\/code>)\u2014both the subdomain and its parent domain\u2014as malicious.<\/p>\nHow can I keep my Mac safe from Adload and other adware or malware?<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\")
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, is a powerful solution designed to protect against, detect, and eliminate Mac malware.<\/p>\nIndicators of compromise (IOCs)<\/h3>\n
6eb4433f1eac5a0c018d5c7299b0f1bef08e2c1620d2d5588335a06560be51fc*\r\nc5a87badff4431f4df2461fe8137e7d705432e122ed4119c9d9bd5850e87ad39*\r\n986fd59d79727ee5f9144fc49ba5e680f7211fd2c555f9e05a0d90b988effa2f\u00b0\r\n0455b08439cd4d4283865f3120000338d9920aa95e88448dcd3b493cc0720b10\r\n11f0074ed041d32a56a5599ecb924f4ad87fd3b5c38be799aaa9b8944d6f5656\r\n134f9d27cf66bc7fde695e5a213fc13fbc327d1f4e977a517b24ef5459d15c9c\r\n15c2270a2261d76d86931853850d2d37d69fdd98cf6a3426a325f5e8eb98478c\r\n2fda25afec552d39a44764956ae96cf445bfcbd489791cde67dbb4b98f960522\r\n364a8eb56a6f85c958ff84ebae61832453929b4aa12b7a75ea2e35301dfd502d\r\n40ecfe9ebdb0156ebe1080ffdcba74c45f8e991da20ad887d5b65fe2b5168cdf\r\n46a79a9200fb6dd802191d4bfbd98142d13e7edae467cdab72a46d1a3d90e79a\r\n50e9747da2ef7454c6f9a833a5cc7363f9e34a12650c1eda819d71bc3ed63f4a\r\n51c8d6d866454308c08d602683461dca6930be6dda1e3aabb08e69cc077043d3\r\n5ce77544e39cffbe8963e11ebad66c20ebb52beb122471ba60837b4f27dae90f\r\n6954fcfd89c531c4893cb8c738b61629f5cb4b621f3f1a8c91df8eaeabc49c30\r\n6edfdbfc33e3f0f551052530284c1dde3a8ee3d04ce2ce7b3f75f80ae7c92100\r\n79b8e4d59087d94a5bab759c3d86d08b0310a468fa11e2d087500f6f4434300f\r\n7b15cc6844ad0381ad84604a818b2ce6c77c44018657e8703d050f2c252213e3\r\n7e177745bf37e7dd3e475e448e8c040c2592ac28bb4e5a0ed9cb7feec965d244\r\n893085f25b6629070780e5bff9cd53eb7b3c373f732791dee5cf75fa2fd791a8\r\na3082b85401386229b0bdd621e3b3978883802b47e0fa8b0923f9778d088e622\r\na35368ff999259bc3d795ed1647952989d943ca4317c836a648edf62259ba7e7\r\nafdd2d7036e388273e05a60280315d18e1ea630e048529da7320a83a84e545e9\r\nb356ce8cc620d183032a38b3a532c79afc8067101fd90c319fd268e9cfd15625\r\nbcb4684cf651a197b77f022df50fd9016c52d42adb794701a05305411c998a46\r\ncfa4b3b3536224cf8da11f5c02ea576014d86f37dd52a531dd59362967a832c3\r\nd750d2f68573956325578c23405e7c59951a78aa5cbf1f087a15e7c0399e79d4\r\nddca87fea7e24f7adbe3614de48d371ac28c12bd02b592e6435c395ecacaf821\r\ne1afa4dbad6e9f131986240d9d96d1b4d24e021433711f81398293973e05adf6\r\n\r\n*first detected by Intego; decompiled Python adware\r\n\u00b0still only 2\/60 detection rate on VirusTotal<\/pre>\n
m.advancedsprint[.]com\r\n<\/pre>\n
Do security vendors detect this by any other names?<\/h3>\n
How can I learn more?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\")
<\/a>Each week on the Intego Mac Podcast<\/strong><\/a>, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/X-Twitter-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Facebook-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/YouTube-logo-icon-225.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Pinterest-logo-icon-225.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/LinkedIn-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Instagram-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" "\\"Follow")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"