Remove CrescentCore Malware from Mac (Update August 2019)

Remove CrescentCore Malware from Mac

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

Update August 2019. What is CrescentCore Mac malware? How threatening is it to macOS? Let’s find out in this article.

OSX/CrescentCore or CrescentCore Mac malware is a new malicious campaign currently targeting users in the wild. According to security researchers, the malware is considered the next generation of a fake Flash Player “virus” which is now capable of fully evading antivirus detection. Currently, Mac users are widely targeted across the Web, as CrescentCore lurks in bogus download sites as well as top-ranking Google search results.

Threat Summary

TypeTrojan Horse for Mac OS
Short DescriptionAims to sneak into your Mac undetected to perform a series of malicious activities.
SymptomsA Trojan horse application on a .dmg disk image, masqueraded as an Adobe Flash Player installer..
Distribution MethodFake download sites and trojanized apps
Detection Tool See If Your System Has Been Affected by CrescentCore


Combo Cleaner

User ExperienceJoin Our Forum to Discuss CrescentCore.

CrescentCore Mac Malware – Distribution

As reported by Intego researchers, this malware is in fact a Trojan horse application on a .dmg disk image, and is masqueraded as an Adobe Flash Player installer. This distribution method is not new at all as it has been observed in Windows campaigns for years. The difference is, however, that CrescentCore is updated with additional capabilities which are meant to improve its evasion by antivirus programs. Also, this is not the first such case against Mac users. A previously detected Mac Trojan is the so-called

Mac Control “virus” which has been known to spy on users’ activities.

Currently, the malware is being distributed via fake app installers (.dmg file), but its distribution mechanisms could be updated in the near future to include:

  • Fake patches;
  • Software cracks;
  • Key generators.

So, how does the CrescentCore infection happen?

Of course, the user will have to open the .dmg file and app with the Flash Player icon. Once this is done, the Trojan will check if it’s running inside a virtual machine. Then, CrescentCore will run a check to see if there is a Mac antivirus program running on the system. If any of these two conditions is met, the malware will no continue its operations on this particular system.

In case no AV software is found, the malware will install its persistent infection in the form of a LaunchAgent.
Security researchers say that there is a second variant of the malware which could install Advanced MacCleaner on infected hosts, or a malicious Safari browser extension.

How to Effectively Remove Mac Kontrol

The malware has been observed in active campaigns in the wild, Mac users should be extra careful when surfing the web. Since CrescentCore is designed to check whether there is an antivirus program installed on the targeted Mac and would halt the infection if such is found, it is highly advisable to install a security solution.

If you’re already infected by CrescentCore and want to remove it from your Mac, we suggest that you carefully read step 1 and 2 below this article. If however you cannot seem to find the virus files or the app, which the malware pretends to be, then professional removal is your best bet. To remove CrescentCore efficiently, you can download and run a scan of your Mac by using an advanced anti-malware software. Such specific tool is created to help you to automatically detect an get rid of any malware, CrescentCore included.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share