Posted on
by
For the past couple years, there has been a plethora of discussion around stealer malware that infects Macs. But other malware families, and categories of malware including potentially unwanted apps (PUA), remain common on Macs, too. Take, for example, the OSX/Adload adware.
We’ve been discussing Adload on The Mac Security Blog for close to a decade, and it still hasn’t gone away. Over the past week, our researchers have been taking another look at some recent Adload samples. Here’s what we’ve discovered.
In this article:
What’s new with OSX/Adload?
Historically, Adload adware has been distributed via Trojan horses. For example, it used to masquerade as Flash Player installers. Later, UpdateAgent and its successor WizardAgent distributed Adload as an additional payload. (See all articles mentioning Adload.)
While examining recent variants of OSX/Adload, we observed that most compiled Mach-O (native Mac executable app) files typically have a detection rate of roughly between one-third to one-half of the antivirus engines on VirusTotal, a multi-engine file scanning site. This is a fairly common detection rate for Mac malware in general. Recent Adload samples are typically self-signed with an ad-hoc signature.
But when assessing Adload’s decompiled Python code, we noticed that none of the 60+ engines on VirusTotal detected the decompiled Adload Python sample (see the 6eb4433f… file in the IOCs section below). To be clear, that doesn’t necessarily mean that all other antivirus products, when actively running on end-user systems, won’t detect the malicious code upon execution; but it does imply that, at least as configured per vendor requests, VirusTotal’s implementation of those engines doesn’t detect the static file.
Furthermore, only one of the 96 domain reputation tools that VirusTotal uses detects the infection vector site’s domain (m.advancedsprint[.]com)—both the subdomain and its parent domain—as malicious.
This suggests that, with little effort from the adware’s developers or distributors, OSX/Adload may be able to infect many Macs—potentially even if they have certain popular third-party antivirus software installed.
That underscores the need for users to remain vigilant when downloading apps online; even clicking on links in Google results often leads to malware. Using a trusted, Mac-focused anti-malware suite—like Intego’s Mac Premium Bundle, which includes VirusBarrier—is also an essential part of keeping your Mac safe from harmful files and potentially dangerous software.
How can I keep my Mac safe from Adload and other adware or malware?
If you use Intego VirusBarrier, you’re already protected from this adware. Intego detects these samples as OSX/Adload.ext and Python/Adload.
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sequoia.
One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.
Indicators of compromise (IOCs)
Following are SHA-256 hashes of adware samples related to this OSX/Adload campaign:
6eb4433f1eac5a0c018d5c7299b0f1bef08e2c1620d2d5588335a06560be51fc* c5a87badff4431f4df2461fe8137e7d705432e122ed4119c9d9bd5850e87ad39* 986fd59d79727ee5f9144fc49ba5e680f7211fd2c555f9e05a0d90b988effa2f° 0455b08439cd4d4283865f3120000338d9920aa95e88448dcd3b493cc0720b10 11f0074ed041d32a56a5599ecb924f4ad87fd3b5c38be799aaa9b8944d6f5656 134f9d27cf66bc7fde695e5a213fc13fbc327d1f4e977a517b24ef5459d15c9c 15c2270a2261d76d86931853850d2d37d69fdd98cf6a3426a325f5e8eb98478c 2fda25afec552d39a44764956ae96cf445bfcbd489791cde67dbb4b98f960522 364a8eb56a6f85c958ff84ebae61832453929b4aa12b7a75ea2e35301dfd502d 40ecfe9ebdb0156ebe1080ffdcba74c45f8e991da20ad887d5b65fe2b5168cdf 46a79a9200fb6dd802191d4bfbd98142d13e7edae467cdab72a46d1a3d90e79a 50e9747da2ef7454c6f9a833a5cc7363f9e34a12650c1eda819d71bc3ed63f4a 51c8d6d866454308c08d602683461dca6930be6dda1e3aabb08e69cc077043d3 5ce77544e39cffbe8963e11ebad66c20ebb52beb122471ba60837b4f27dae90f 6954fcfd89c531c4893cb8c738b61629f5cb4b621f3f1a8c91df8eaeabc49c30 6edfdbfc33e3f0f551052530284c1dde3a8ee3d04ce2ce7b3f75f80ae7c92100 79b8e4d59087d94a5bab759c3d86d08b0310a468fa11e2d087500f6f4434300f 7b15cc6844ad0381ad84604a818b2ce6c77c44018657e8703d050f2c252213e3 7e177745bf37e7dd3e475e448e8c040c2592ac28bb4e5a0ed9cb7feec965d244 893085f25b6629070780e5bff9cd53eb7b3c373f732791dee5cf75fa2fd791a8 a3082b85401386229b0bdd621e3b3978883802b47e0fa8b0923f9778d088e622 a35368ff999259bc3d795ed1647952989d943ca4317c836a648edf62259ba7e7 afdd2d7036e388273e05a60280315d18e1ea630e048529da7320a83a84e545e9 b356ce8cc620d183032a38b3a532c79afc8067101fd90c319fd268e9cfd15625 bcb4684cf651a197b77f022df50fd9016c52d42adb794701a05305411c998a46 cfa4b3b3536224cf8da11f5c02ea576014d86f37dd52a531dd59362967a832c3 d750d2f68573956325578c23405e7c59951a78aa5cbf1f087a15e7c0399e79d4 ddca87fea7e24f7adbe3614de48d371ac28c12bd02b592e6435c395ecacaf821 e1afa4dbad6e9f131986240d9d96d1b4d24e021433711f81398293973e05adf6 *first detected by Intego; decompiled Python adware °still only 2/60 detection rate on VirusTotal
This adware campaign has leveraged the following domain as an infection vector:
m.advancedsprint[.]com
Network administrators can check logs to try to identify whether any computers may have attempted to contact the subdomain above, or its parent domain, which could indicate a possible infection.
Do security vendors detect this by any other names?
Other antivirus vendors’ names for this Adload adware may include variations similar to the following:
A Variant Of OSX/TrojanDownloader.Adload.AE, AdLoad (PUA), Adloadr (PUA), Adware:MacOS/Adload.D!MTB, Adware:MacOS/Multiverze, Adware.ADWARE/AVA.Agent.rhafu, Adware.ADWARE/OSX.AVI.Adload.rajvu, Adware.MAC.AdLoad.AQF (B), Adware.MAC.Agent.BG (B), Adware.Mac.Cimpli.10, Adware.OSX.Adload.2!c, Adware.OSX.Agent.2!c, Adware.OSX.Cimpli.2!c, Adware/Adload!OSX, ADWARE/AVA.Agent.rhafu, Adware/Cimpli!OSX, Adware/OSX.Adload.d, ADWARE/OSX.AVI.Adload.rajvu, Downloader.AdLoad/OSX!1.D942 (CLASSIC), Gen:Variant.Adware.MAC.Adload.15 (B), Gen:Variant.Adware.MAC.Lador.1 (B), Gen:Variant.Application.MAC.Adload.8 (B), HEUR:Trojan-Downloader.OSX.AdLoad.gen, HEUR:Trojan-Downloader.OSX.Agent.ab, HEUR:Trojan-Downloader.OSX.Lador.a, HEUR:Trojan-Downloader.Python.Agent.af, HEUR:Trojan-Dropper.OSX.Agent.s, Linux.Siggen.5031, Mac.DownLoad.11, Mac.Trojan.AdLoad.4, Macho.adware.adload, Macho.downloader.adload, Macho.trojan.adload, Macho.unknown.adload, MacOffers, macOS:Adload-AM [Trj], MacOS:Adload-AX [Adw], MacOS:Adload-CV [Drp], MacOS:Agent-AHI [Trj], MacOS:Agent-MX [Trj], MacOS:Agent-PP [Adw], MacOS:Downloader-BS [Drp], MacOS/Adload.A.gen!Camelot, MacOS/Agent.A.gen!Camelot, MacOS/Agent.B.gen!Camelot, Malware.OSX/Adload.jleie, Malware.OSX/Agent.ipwvv, Malware.OSX/AVI.Adload.avslq, Malware.OSX/AVI.Agent.gczrk, Malware.OSX/AVI.Downloader.beswh, Malware.OSX/Dldr.Adload.ergvp, Malware.OSX/GM.Adload.OC, Malware.OSX/GM.Agent.TR, Malware.OSX/GM.Downloader.TM, MaxOfferDeal, Mughthesec (PUA), Not-a-virus:HEUR:AdWare.OSX.Agent.al, OSX.AdLoad!g1, Osx.Adware.Adload-9885354-2, Osx.AdWare.Agent.Hajl, Osx.Trojan-Downloader.Adload.Anhl, Osx.Trojan-Downloader.Agent.Hjgl, Osx.Trojan-Downloader.Lador.Wimw, Osx.Trojan.Adload.Fflw, Osx.Trojan.Agent.Qwhl, Osx.Trojan.Dldr.Bujl, Osx.Trojan.Gm.Rqil, OSX/Adload.AX!tr.dldr, OSX/Agent.BQ!tr, OSX/Dldr.Adload.pgzct, OSX/Dwnldr-AASO, OSX/TrojanDownloader.Adload.AK, Password-Stealer ( 0040f4f11 ), Python:Downloader-AJ [Drp], RDN/Generic.osx, Static AI – Malicious Mach-O, Static AI – Suspicious Mach-O, Trojan-Downloader.OSX.Adload, Trojan-Downloader.OSX.Agent.ad, Trojan:MacOS/Lador.B!MTB, Trojan:MacOS/Multiverze, Trojan.Adware.MAC.Adload.22, Trojan.Adware.MAC.Lador.1, Trojan.Application.MAC.Adload.8, Trojan.MAC.Adload.AM (B), Trojan.OSX.Adload.4!c, Trojan.OSX.Agent.4!c, Trojan.OSX.Lador.a!c, Trojan[downloader]:MacOS/Adload.AH, TrojanDownloader:MacOS/Adload.B!MTB, TrojanDownloader:MacOS/SAgnt.C!MTB, TrojanDropper:MacOS/Lador.K!MTB, Unix.Malware.Lador-9884300-0, Unix.Malware.Macos-9882334-0, Win32.Trojan-Downloader.Agent.Edhl
How can I learn more?
Be sure to also check out our 2025 Apple malware forecast and our previous Mac malware articles from 2025 and earlier.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
About Joshua Long
Joshua Long (@theJoshMeister), Intego’s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master’s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh’s articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon.
View all posts by Joshua Long →
