ngCERT CYBERSECURITY ADVISORY ON ADLOAD MALWARE AFFECTING APPLE PRODUCTS

Advisory ID:   ngCERT-2025-080003

SUMMARY

ngCERT is aware of a persistent “AdLoad” malware infiltrating macOS through deceptive installers and bypassing Apple’s native security protections. Once installed, it hijacks browsers, injects unwanted advertisements, and collects user data while embedding itself deeply via launch agents, login items, and configuration profiles to maintain persistence. Detecting AdLoad can be challenging due to its stealthy nature and use of legitimate system mechanisms. Manual detection involves inspecting login items, system profiles, and startup agents, but these methods may miss advanced variants. Proactive monitoring, regular audits, and user education are crucial for mitigating risk and protecting system integrity. The malware exemplifies the increasing sophistication of macOS threats, making layered defense and timely detection critical to maintaining secure computing environments.  

Probability:    High

Damage:        Critical

Platform(s): macOS (Intel + Apple Silicon)

DESCRIPTION

AdLoad is a sophisticated adware targeting macOS, utilising deceptive installers to infiltrate systems without detection. It exploits macOS’s native features to establish deep persistence, manipulating browser settings and injecting unsolicited advertisements. Unlike typical malware, AdLoad blends into legitimate system processes, complicating detection efforts. Indicators of infection include unexpected browser redirects, unfamiliar startup items, and subtle system slowdowns. Its stealth is enhanced by employing configuration profiles and launch agents, tools generally used for legitimate purposes. Traditional antivirus tools often struggle to identify AdLoad due to its use of signed components and legitimate macOS mechanisms. 

CONSEQUENCES

Successful exploitation of Adload malware may lead to the following outcomes:

1. Persistent and Intrusive Advertisements: AdLoad continuously injects unwanted ads into browsers and applications, disrupting normal workflows and degrading the overall user experience.
2. Browser Hijacking and Redirects: The malware modifies browser settings to redirect users to suspicious or malicious websites.
3. Unauthorized Data Collection: AdLoad covertly gathers browsing history, search queries, and other personal information without user consent.
4. Difficult Removal and Persistence: Utilizing legitimate macOS mechanisms like launch agents and configuration profiles, AdLoad embeds itself deeply within the system.
5. Degraded System Performance: Running background processes and injecting ads consume CPU, memory, and network bandwidth, leading to slower system responsiveness and reduced efficiency over time.
6. Potential Vector for More Threats: By weakening system security and opening hidden backdoors, AdLoad can serve as a gateway for more dangerous malware, including ransomware or spyware.

SOLUTION/MITIGATION

To mitigate the risks associated with adload malware, ngCERT recommends the following actions:

1. Use trusted anti-malware tools.
2. Perform manual inspection and cleanup.
3. Keep macOS and software updated.
4. Limit software installation sources.
5. Educate users on phishing and fake installers.
6. Implement endpoint monitoring.
7. Restrict administrative privileges.
8. Maintain regular backups.

HYPERLINK

• https://www.pcrisk.com/removal-guides/16328-adload-malware-mac
• https://cybernoz.com/new-macos-adload-malware-bypasses-built-in-antivirus-detection/
• https://www.malwarebytes.com/blog/detections/adware-adload