AdLoad is a adware targeting macOS, first discovered in 2017. AdLoad is one of the most persistent adware families targeting macOS, active since at least 2017. It installs browser proxy configurations and injects advertisements into web pages. AdLoad frequently updates its payloads to evade Apple's XProtect signatures, making it one of the longest-running macOS adware operations. CoreLock detects this threat using CoreLock detects AdLoad through behavioral analysis of proxy configuration changes, YARA signatures covering 100+ known AdLoad variants, monitoring for suspicious configuration profile installations, and network-level detection of ad-injection proxy traffic.
Also known as: Adload, AdLoad.BundleInstaller
AdLoad is one of the most persistent adware families targeting macOS, active since at least 2017. It installs browser proxy configurations and injects advertisements into web pages. AdLoad frequently updates its payloads to evade Apple's XProtect signatures, making it one of the longest-running macOS adware operations.
Bundled with free software downloads from third-party sites
Fake Flash Player update prompts on compromised websites
Malvertising campaigns redirecting to fake download portals
Trojanized versions of popular utilities distributed outside the App Store
Browser homepage or search engine changed without permission
Unusual advertisements injected into websites that normally have none
New browser extensions or profiles you did not install appearing
System Preferences showing unknown configuration profiles under Profiles
Open System Settings > Privacy & Security > Profiles (if visible). Delete any profiles you did not install, as AdLoad uses these to enforce browser proxy settings.
Check Safari, Chrome, and Firefox for extensions you did not add. Remove them and reset browser settings to defaults.
Check ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons for plist files with random-looking names. Remove any connected to AdLoad.
Go to System Settings > Network > your active connection > Details > Proxies. Disable any proxy configurations you did not set up.
CoreLock will detect remaining AdLoad components including hidden persistence files, injected browser configurations, and dormant payloads waiting to reinstall.
Avoid downloading software from unofficial or third-party websites
Flash Player is discontinued — any update prompt for it is malware
Keep macOS updated, as Apple regularly adds AdLoad signatures to XProtect
Use CoreLock's real-time monitoring to catch new AdLoad variants before XProtect does
Real-time Detection
CoreLock detects AdLoad through behavioral analysis of proxy configuration changes, YARA signatures covering 100+ known AdLoad variants, monitoring for suspicious configuration profile installations, and network-level detection of ad-injection proxy traffic.
AdLoad is classified as adware rather than high-severity malware, but it poses real risks. It injects ads, redirects searches, installs configuration profiles that persist through reboots, and can download additional payloads. It also degrades system performance and browser stability.
AdLoad uses multiple persistence mechanisms including LaunchAgents, LaunchDaemons, configuration profiles, and hidden helper applications. Removing just the visible app is not enough — you need to find and remove all persistence components, which CoreLock automates.
Apple's XProtect has signatures for many AdLoad variants, but the malware authors frequently update their payloads to bypass detection. New AdLoad variants often circulate for days or weeks before Apple updates XProtect signatures. CoreLock's behavioral analysis catches new variants immediately.
Download CoreLock to detect and remove AdLoad and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows