Sideloading refers to software installation from a third party rather than an authorized source, such as apps not available through official vendors or app stores. This vulnerability gives attackers yet another critical opportunity.

Why is a security risk?

Third-party applications may not have been tested for security risks. They may be malicious in nature, exposing users to risks merely by installing the program on their devices. During Web Summit 2021, Apple’s senior vice president, Craig Federighi, referred to sideloading as “a cyber criminal’s best friend.”

Typically, these programs are downloaded as a result of social engineering attacks, such as phishing emails or pop-up advertising.

Users may also download ‘freemium’ or a ‘free’ version of the software that contains harmful malware.

How is ransomware delivered through sideloading?

WizardUpdate is one type of sideloading attack recently discovered in the wild. The program impersonates a legitimate application, such as Adobe Flash Player. Initially, the program was a reconnaissance tool, only gathering system information and relaying it to a command-and-control (C2) server. However, it has since evolved to include the ability to bypass macOS gatekeeper security, load other applications from within the app, such as Adware and Malware, and change system settings.

Suppose a sideloaded program contains malware that grants remote access to an attacker. This access is generally sold to ransomware groups, who will utilize the first foothold to begin a lateral movement, privilege escalation, and finally install ransomware.

Another recent sideloading exploit reveal involves threat actors notorious for distributing malware, such as Trickbot and BazarLoader.

Using a feature released by Microsoft in June 2021 allows users to install Windows 10 programs via a browser.

The impact of sideloading attacks

Sideloading application hacks can compromise organizations, leaving them unable to access data unless a ransom is paid or their private data is exfiltrated. Sideloaded apps provide a danger comparable to email-borne malware, with the exception that the initial infection mechanism is likely to be subject to fewer security restrictions.

Steps to safeguard your organization against attacks

  • Consider limiting user access through a Group Policy to prevent non-system administrators from downloading and installing PUP (Potentially Unwanted Program) on company devices.
  • By using programs that allow you to list a set of permitted applications, you can ensure that software is only downloaded and installed from the vendor’s website or app store, not third-party sites.
  • Regularly hold awareness training to ensure that personnel are informed of potential hazards.
  • Consider investing in a security system that can continually monitor and stop any threats from devices, such as Next Generation AntiVirus (NGAV) and Endpoint Detection and Response (EDR).


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

immediate help

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center