Adload macOS Adware

Adload: Persistent macOS Adware That Hijacks Browsers and Installs Junk

Adload is a long-running family of macOS adware designed to hijack browser settings, inject aggressive ads, and install unwanted software. It spreads via fake software updates, trojanized apps, and shady download sites, often bypassing Apple’s security measures. Adload is known for its ability to persist after removal attempts by using LaunchAgents, configuration profiles, and background processes to regain control of the system.

Introduction to Adload

Adload targets Mac systems specifically, using tactics tailored to macOS environments—such as exploiting Safari preferences, installing LaunchAgents, and leveraging configuration profiles to lock in browser hijacks. Once active, it redirects search queries, displays pop-up ads, and can install secondary payloads. Some antivirus vendors, including Malwarebytes, use the term “Adload” to label adware behavior on Windows as well, but the core Adload family is macOS-specific and its most well-documented variants only affect Apple systems.

---

1. How Adload Works

Infection Mechanism:
Adload spreads through:

• Fake Flash Player or video codec updates
• Bundled installers for media converters, PDF tools, or Mac optimizers
• Deceptive pop-up ads that push downloads under false pretenses

The installer often asks for system permissions, tricking users into giving Adload what it needs to install persistent components.

Payload Execution:
Once installed, Adload:

• Installs LaunchAgents or LaunchDaemons to ensure it runs on startup
• Adds configuration profiles that lock in browser settings (e.g., homepage, search engine)
• Hijacks Safari, Chrome, or Firefox to redirect traffic to ad-heavy or malicious search engines
• Injects ads, banners, and sponsored content across websites
• Downloads and installs additional potentially unwanted programs (PUPs)

---

2. History and Notable Campaigns

Origin and Discovery:
Adload has been active since at least 2017, with new variants emerging regularly. Security researchers at Malwarebytes, Intego, and SentinelOne have tracked its persistence and adaptability in bypassing macOS security.

Notable Campaigns:

• Adload has often been distributed through fake Flash Player updates, a common bait for Mac users
• Some variants managed to pass Apple’s notarization checks, making them appear legitimate
• It is frequently bundled with other adware or used in tandem with Shlayer, another major macOS threat

---

3. Targets and Impact

Targeted Victims and Sectors:
Adload targets individual Mac users, especially those who:

• Download free software from untrusted sources
• Use older macOS versions
• Click on pop-up ads promising software fixes or media players

Consequences:

• Search engine hijacking and redirected browser traffic
• Persistent pop-up ads, banners, and invasive on-page advertising
• System slowdown due to background processes and additional downloads
• Increased exposure to scam sites, phishing pages, and additional malware

---

4. Technical Details

Payload Capabilities:

• Modifies Safari, Chrome, and Firefox settings
• Installs LaunchAgents/Daemons for persistence (~/Library/LaunchAgents/)
• Adds configuration profiles that prevent changes to search settings
• Communicates with ad networks and redirect services to monetize traffic
• May install companion apps disguised as cleaners, optimizers, or VPNs

Evasion Techniques:

• Frequently reinstalls itself after manual removal
• Uses names that resemble system processes to avoid suspicion
• Sometimes passes Apple’s notarization process, making users trust the install
• May disable security software or block legitimate websites used for cleanup

---

5. Preventing Adload Infections

Best Practices:

• Only install apps from the Mac App Store or known, trusted developer sites
• Avoid clicking on fake update prompts (especially Flash Player alerts)
• Use non-admin user accounts for daily use
• Regularly check for unknown configuration profiles or login items
• Keep macOS and Safari fully updated

Recommended Security Tools:

• Malwarebytes for Mac – specifically detects and removes Adload variants
• Objective-See tools like KnockKnock and BlockBlock
• Intego Mac Internet Security, CleanMyMac X, or Bitdefender for Mac

---

6. Detecting and Removing Adload

Indicators of Compromise (IoCs):

• Safari or Chrome opens to a strange search engine (e.g., searchmine, searchbaron, or chumsearch)
• System Preferences > Profiles shows unknown or locked profiles
• Unfamiliar apps or LaunchAgents in ~/Library/LaunchAgents/
• Constant pop-up ads or redirect loops in the browser

Removal Steps:

1. Use Malwarebytes or another trusted adware removal tool
2. Go to System Preferences > Profiles and delete unknown profiles
3. Check ~/Library/LaunchAgents/, ~/Library/Application Support/, and ~/Applications/ for suspicious files
4. Reset browser settings or reinstall affected browsers
5. Reboot and monitor for reappearance

Professional Help:
If Adload keeps coming back after removal or the user is unsure about removing launch items or profiles, it's best to consult a Mac technician or Apple support.

---

7. Response to an Adload Infection

Immediate Steps:

• Disconnect from the internet if redirections lead to malicious sites
• Run a full malware scan
• Remove associated apps, agents, and configuration profiles
• Reset browser settings to default
• Inform any users sharing the system to avoid reinfection

---

8. Legal and Ethical Implications

Legal Considerations:
While Adload is often classified as PUP or adware rather than malware, its evasive tactics and unauthorized system changes may violate consumer protection laws.

Ethical Considerations:
Adload abuses user trust and system permissions to make money through forced ads and hijacked traffic. It erodes confidence in macOS security and leverages deceptive tactics to stay on machines long after installation.

---

9. Resources and References

• Malwarebytes Labs: Adware.Adload Detection Info
• Intego Mac Security Blog: Intego discovers undetected OSX/Adload decompiled Python adware
• Objective-See Security Tools
• Apple Support: Remove Configuration Profiles in macOS
• SentinelOne Blog: macOS Adload | Prolific Adware Pivots Just Days After Apple’s XProtect Clampdown

---

10. FAQs about Adload

Q: What is Adload?
A family of macOS adware that hijacks browsers, installs junk apps, and injects unwanted ads.

Q: Does Adload affect Windows too?
While some vendors use “Adload” as a label on Windows, the core Adload family targets macOS specifically.

Q: How does it spread?
Through fake updates, bundled installers, and deceptive download sites.

Q: Can Adload be removed?
Yes, with security tools and by manually deleting profiles, launch agents, and unwanted apps.

---

11. Conclusion

Adload is one of the most persistent and widespread adware threats on macOS. It tricks users into installing it, then uses system-level changes to stay active and push constant ads. While not as destructive as ransomware or trojans, Adload is a clear violation of user control and system integrity—and removing it fully often takes more than just dragging an app to the trash.

 

 

« Back to the Virus Information Library

« Back to the Security Center