How to eliminate SNOWLIGHT malware from your Mac

What kind of malware is SNOWLIGHT?

SNOWLIGHT is a malware that targets Mac operating systems (macOS). It acts as a dropper (i.e., can cause chain infections) and has been observed being used to infiltrate the VShell malware into compromised devices. The SNOWLIGHT dropper has been used by a threat actor tracked as "UNC5174". It is speculated that UNC5174 is a contractor of the Chinese government.

SNOWLIGHT malware overview

SNOWLIGHT acts as a dropper – i.e., it can "drop" additional malware or malicious content onto systems. Theoretically, droppers can infiltrate any kind of malware into devices (e.g., trojans, ransomware, etc.) – however, in practice, they tend to function within certain specifications/limitations.

SNOWLIGHT connects to its C&C (Command and Control) server to receive communications, preps the system for further infection, and carries it out. To elaborate, the malware searches for a specific log file ("/tmp/log_de.log"), and if it is not found – SNOWLIGHT sets up a network socket to connect to its C&C. The program also utilizes system functions to modify and exploit environment variables. Prior to processing the content received from the C&C server, SNOWLIGHT may attempt to obfuscate or encrypt it.

In the latest campaign involving SNOWLIGHT – it was introduced in the second stage of the infection chain. In the initial stage, a malicious bash script infiltrated two payloads: one related to SNOWLIGHT ("dnsloger"), and the second ("system_worker") – linked to the Sliver and Cobalt Strike malware.

In this stage, persistence was established by setting the malicious software as a scheduled task (executed every hour), running it in the background, and auto-starting upon each reboot. SNOWLIGHT introduced the VShell RAT (Remote Access Trojan) – a fileless payload that resides solely in-memory. VShell has backdoor malware and injector trojan capabilities. It can download/install additional malicious programs and steal files.

It is noteworthy that malware developers and attackers often improve upon their software and methodologies. For example, the UNC5174 group is known to customize its tools. Hence, potential future iterations of SNOWLIGHT could have additional/different functionalities and features.

To summarize, the presence of software like SNOWLIGHT on devices can lead to multiple system infections, severe privacy issues, financial losses, and identity theft.

Similar malware examples

We have investigated countless malicious programs; Octowave, SteelFox, SambaSpy, and CrackedCantil are just some examples of malware capable of causing chain infections.

Malware is a broad term covering software with a broad range of malicious capabilities, yet regardless of what they are – the presence of such software on a device endangers its integrity and user safety. Therefore, all threats must be eliminated immediately upon detection.

How did SNOWLIGHT install on my computer?

SNOWLIGHT is not an exclusive malware (i.e., it is used by various cyber criminals) – hence, the methods employed in proliferation can vary depending on the attackers.

The techniques implemented in spreading SNOWLIGHT in the latest campaign undertaken by UNC5174 are unknown. Previous methods used by this threat actor include exploiting the Ivanti Cloud Service Appliance (CSA) products (attacks that occurred during the 2024 Paris Olympics) and using malspam (malicious spam) to distribute infectious attachments (attacks that took place in 2019).

As mentioned in the introduction, UNC5174 is associated with the Chinese government. This group has carried out attacks in countries located in North America, Western Europe, and the Asian-Pacific region. Targeted entities include governmental bodies and the private sector (e.g., energy, defense, healthcare, research, tech, etc.).

Generally, malware is proliferated by relying on phishing and social engineering tactics. Malicious software is usually disguised as or packed together with ordinary content ("bundling"). Infectious files can be executables (.exe, .run, etc.), archives (RAR, ZIP, etc.), documents (Microsoft Office, Microsoft OneNote, PDF, etc.), JavaScript, and so forth. Merely opening a virulent file can be enough to trigger the infection chain.

Malware is primarily distributed via backdoor/loader-type trojans, drive-by downloads, dubious download channels (e.g., freeware and free file-hosting sites, Peer-to-Peer sharing networks, etc.), malicious attachments/links in spam (e.g., emails, DMs/PMs, social media posts, etc.), malvertising, online scams, illegal software activation ("cracking") tools, and fake updates.

Some malicious programs can even self-spread through local networks and removable storage devices (e.g., external hard drives, USB flash drives, etc.).

How to avoid installation of malware?

We highly recommend approaching incoming communications with caution. Attachments or links present in suspect/irrelevant emails or other messages must not be opened, as they can be infectious. It is essential to be vigilant while browsing since the Internet is full of deceptive and malicious content.

Furthermore, all downloads must be performed from official and verified sources. Another recommendation is to activate and update software using functions/tools provided by genuine developers, as those acquired from third-parties can contain malware.

We must stress the importance of having a reputable antivirus installed and kept up-to-date. Security programs must be used to run regular system scans and to remove detected threats. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically infiltrated malware.

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is "SNOWLIGHT"?
• STEP 1. Remove PUA related files and folders from OSX.
• STEP 2. Remove rogue extensions from Safari.
• STEP 3. Remove rogue add-ons from Google Chrome.
• STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove adware-related files and folders

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

Check for adware generated files in the /Library/LaunchAgents/ folder:

In the Go to Folder... bar, type: /Library/LaunchAgents/

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Check for adware generated files in the ~/Library/Application Support/ folder:

In the Go to Folder... bar, type: ~/Library/Application Support/

In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.

Check for adware generated files in the ~/Library/LaunchAgents/ folder:

In the Go to Folder... bar, type: ~/Library/LaunchAgents/

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Check for adware generated files in the /Library/LaunchDaemons/ folder:

In the "Go to Folder..." bar, type: /Library/LaunchDaemons/

In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.

Scan your Mac with Combo Cleaner:

If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

Remove malicious extensions from Internet browsers

Remove malicious Safari extensions:

Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

Remove malicious extensions from Google Chrome:

Click the Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

Remove malicious extensions from Mozilla Firefox:

Click the Firefox menu (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

Frequently Asked Questions (FAQ)

My computer is infected with SNOWLIGHT malware, should I format my storage device to get rid of it?

Malware removal rarely necessitates formatting.

What are the biggest issues that SNOWLIGHT malware can cause?

The threats posed by an infection depend on the malware's abilities and the cyber criminals' goals. SNOWLIGHT acts as a dropper – it infiltrates additional malicious content into systems. Hence, this malware can cause multiple system infections that can result in severe privacy issues, financial losses, and identity theft.

What is the purpose of SNOWLIGHT malware?

Malware is primarily used to generate revenue for cyber criminals. However, SNOWLIGHT has been employed in attacks undertaken by a threat actor tracked as "UNC5174". This group is associated with the Chinese state; hence, infections carried out by UNC5174 are likely to have geopolitical motivations, such as cyber espionage.

How did SNOWLIGHT malware infiltrate my computer?

Malware is mainly distributed via spam mail, trojans, drive-by downloads, online scams, malvertising, suspicious download sources (e.g., unofficial and free file-hosting sites, P2P sharing networks, etc.), fake updaters, and illegal software activation tools ("cracks). Some malicious programs can self-proliferate through local networks and removable storage devices.

Will Combo Cleaner protect me from malware?

Combo Cleaner can detect and eliminate almost all known malware infections. It must be emphasized that performing a complete system scan is essential since high-end malicious programs tend to hide deep within systems.