It's back: the infamous Mac malware called AdLoad, first discovered in 2017, is back and blitzing through macOS' built-in defenses, security firm Sentinel One reports.

According to Sentinel One, more than 150 new variants of AdLoad have been identified since last November, with a "spike during July and especially in the weeks leading up to early August 2021." [Many of the new variants bypass protection provided by Apple's Gatekeeper verification screener because the malware is "signed" with Apple's developer certificate.

Many of the AdLoad strains also evade Apple's XProtect malware scanner because they do not match malware profiles in XProtect's database. Some are also "notarized" to pass Apple's latest layer of defense.

"The fact that hundreds of unique samples of well-known adware variants have remained undetected by Apple's built-in malware scanner, despite the fact that they have been circulating for at least 10 months, further endpoint security controls on Mac devices to Mac devices," said Sentinel One. [Apple's own protection is often not enough, and the best Mac antivirus programs will be needed to stop this.

In theory, AdLoad infection could be prevented by refusing to provide the administrator password when the malware begins the installation process.

However, as is the case with most Mac malware, AdLoad will try to get you to approve the installation by pretending that a password is required for some reason. For example, a previous Sentinel One report noted that AdLoad installers often pose as Adobe Flash Player installers.

AdLoad makes money by redirecting your web traffic. It takes over your browser's search engine results and directs them to sites that may pay a fee to AdLoad's creator, and also injects its own ad sets on top of legitimate web ads.

While this is not the worst kind of malware infection, AdLoad has made its way into operating systems and has proven difficult to remove. And who knows what kind of serious infection you might get if such middleweight Mac malware gets into your machine.

"The good news for those without additional security measures," says a new report from Sentinel One, "is that the previous variants we reported in 2019 are now detected by XProtect." The bad news is that the variants used in this new campaign are not detected by any of these rules."

Apple revokes developer certificates as soon as it finds AdLoad variants, but "within hours or days, new samples signed with the new certificates are appearing," the report says.

"It is truly a game of whack-a-mole."

This story was previously reported by Bleeping Computer.