Installcore

Category: pua · Aliases: PUP.Optional.InstallCore, Adware.InstallCore, OSX/InstallCore · Sample count (EMBER 2018): 1,961 · Enrichment: documented_reference_only · Updated: 2026-07-02T09:01:15Z

Overview

Executive Summary

InstallCore is a highly prevalent, aggressive content delivery network (CDN) and installation manager that is universally classified by the cybersecurity industry as a Potentially Unwanted Program (PUP) and Adware. It acts as a wrapper around legitimate software installations, monetizing the "free" download by aggressively bundling and silently installing a multitude of unwanted third-party applications, browser hijackers, and tracking cookies onto the user's system.

Infection Vector and Technical Capabilities

InstallCore is encountered when users attempt to download popular freeware (like media players, PDF readers, or Java updates) from third-party, unofficial software aggregators. The downloaded file is not the software itself, but the InstallCore "wrapper." Its technical operation relies on deception and aggressive installation tactics:

Threat Assessment

InstallCore is a high-impact nuisance and a moderate security risk. While it does not typically deploy ransomware, it severely degrades system performance, compromises browser security (via hijacking), and exposes the user to potentially malicious third-party advertisements (malvertising). It also generates massive IT helpdesk overhead as users complain of "slow PCs" and "pop-ups."

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1562.001 T1112 T1185

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_INSTALLCORE {
    meta:
        description = "Detects Installcore (pua)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "installcore" ascii wide nocase
        $s2 = "pup.optional.installcore" ascii wide nocase
        $s3 = "adware.installcore" ascii wide nocase
        $s4 = "osx/installcore" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Installcore Activity
id: 6bf7b03817f34b4d98093c4919108f70
status: experimental
description: Detects generic indicators of the installcore malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*installcore*"
            - "*pup.optional.installcore*"
            - "*adware.installcore*"
            - "*osx/installcore*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about installcore?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: pua)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/installcore.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.