Pirrit is a adware targeting macOS, first discovered in 2016. Pirrit is an aggressive macOS adware that has been active since 2016, with roots in older Windows adware. It injects advertisements, redirects browser traffic, and installs a local proxy to intercept web requests. Some variants have rootkit-like capabilities, making removal difficult without specialized tools. CoreLock detects this threat using CoreLock detects Pirrit through network monitoring of proxy injection and traffic interception, behavioral analysis of ad-injection patterns, YARA signatures covering multiple Pirrit variants and their rootkit components, and system configuration auditing that flags unauthorized proxy settings.
Also known as: OSX.Pirrit, Pirrit Adware, OperatorMac
Pirrit is an aggressive macOS adware that has been active since 2016, with roots in older Windows adware. It injects advertisements, redirects browser traffic, and installs a local proxy to intercept web requests. Some variants have rootkit-like capabilities, making removal difficult without specialized tools.
Bundled with free Mac software from third-party download sites
Fake software updates and misleading download buttons on websites
Ad networks displaying malicious ads that lead to Pirrit installers
Browser extension installations that bundle adware components
Excessive pop-up ads appearing even on normally ad-free websites
Browser searches redirected through unfamiliar search engines
Local proxy configuration added without your permission
Unknown system extension or kernel extension installed
Go to System Settings > Network > your connection > Details > Proxies. Disable any automatic proxy configuration or manual proxy settings you did not add.
Check /Applications for recently installed apps you do not recognize. Also check /Library/Application Support and ~/Library/Application Support for Pirrit-related folders.
Check all browsers for extensions you did not install. Pirrit often installs extensions that survive browser settings reset, so remove them manually.
Remove LaunchAgents and LaunchDaemons related to the adware. Check for configuration profiles in System Settings > Privacy & Security > Profiles.
Run a CoreLock scan to detect Pirrit's rootkit-like components, hidden proxy configurations, and any dormant installers waiting to reinstall the adware.
Download software only from official websites or the Mac App Store
Be cautious of 'Download' buttons on free software sites — they may be ads
Regularly check System Settings > Network for unauthorized proxy settings
Use CoreLock to monitor for proxy injection and browser configuration changes
Real-time Detection
CoreLock detects Pirrit through network monitoring of proxy injection and traffic interception, behavioral analysis of ad-injection patterns, YARA signatures covering multiple Pirrit variants and their rootkit components, and system configuration auditing that flags unauthorized proxy settings.
While classified as adware, Pirrit is more aggressive than typical ad-injection software. Some variants include rootkit-like functionality, local proxy hijacking, and the ability to download additional payloads. It can also collect browsing data and send it to remote servers.
Pirrit uses multiple persistence mechanisms including LaunchAgents, LaunchDaemons, configuration profiles, local proxies, and in some variants, system extensions. Removing just one component is not enough — the remaining pieces will reinstall everything.
Pirrit has been targeting macOS since at least 2016, evolving from older Windows adware. It continues to be actively updated and distributed, making it one of the longest-running adware families on the Mac platform.
Download CoreLock to detect and remove Pirrit and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows