{
	"id": "9b27f483-735f-4e64-8687-89c6fd359c5e",
	"created_at": "2026-04-10T03:20:56.304011Z",
	"updated_at": "2026-04-10T13:11:47.231667Z",
	"deleted_at": null,
	"sha1_hash": "06156fa3e46b606cc10a3f22c19533fde4d48855",
	"title": "HandBrake for Mac Compromised with Proton Spyware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36849,
	"plain_text": "HandBrake for Mac Compromised with Proton Spyware\r\nBy Michael Mimoso\r\nPublished: 2017-05-08 · Archived: 2026-04-10 03:07:37 UTC\r\nThe open source HandBrake project is warning anyone who recently downloaded the Mac version of the software\r\nthat they’re likely infected with malware.\r\nThe handlers of the open source HandBrake video transcoder are warning anyone who recently downloaded the\r\nMac version of the software that they’re likely infected with malware.\r\nHandBrake warned users on Saturday of a compromise of one of its mirror download servers, and said anyone\r\nwho grabbed the software between May 2 and May 6 could have also downloaded a variant of the OSX.PROTON\r\nTrojan onto their Mac system.\r\n“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan,” said an\r\nadvisory. “You have 50/50 chance if you’ve downloaded HandBrake during this period.”\r\nApple, however, has since pushed out a XProtect signature preventing any new infections. HandBrake,\r\nmeanwhile, advises its users to also change all passwords in their OSX KeyChain or passwords stored in their\r\nbrowsers.\r\nHandBrake is free software that is used to convert video from a variety of formats to a supported codec. There are\r\nWindows, Mac and Linux versions. The warning was for the Mac version. The handlers advise verifying the\r\nSHA1 or SHA256 sum of the file before running it.\r\nThe bad SHA checksums are:\r\nSHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274\r\nSHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793\r\n“If you see a process called ‘activity_agent’ in the OSX Activity Monitor application, you are infected,” the\r\nadvisory said.\r\nProton is a remote access Trojan, or RAT, sold in Russian underground forums. Researchers at Sixgill published\r\nan analysis of the Mac malware, which is used to spy on the victim’s activities; it can monitor keystrokes, upload\r\nfiles to remote machines, download files from the web, steal screenshots and connected directly via SSH or a\r\nremote admin tool such as VNC.\r\n“The malware is shipped with genuine Apple code-signing signatures,” the Sixgill report said. “This means the\r\nauthor of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers\r\nof third-party software, and obtained genuine certifications for his program.”\r\nThe price, according to the researchers, is steep at around 100 Bitcoin ($163,600 today).\r\nhttps://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/\r\nPage 1 of 2\n\nPatrick Wardle, a Mac security expert, said on the Objective-See blog on Saturday that the Proton variant has zero\r\ncoverage on VirusTotal by antimalware engines. Wardle said that when the infected HandBrake app runs, it asks\r\nvia a phony authentication popup for the user’s credentials.\r\n“If the user is tricked into providing a user name and password, the malware will install itself,” Wardle said,\r\nadding that the credentials allow the malware to elevate privileges.\r\nBy compromising the HandBrake mirror, the attackers were able to follow the road map provided by the other\r\nMac malware such as KeRanger, which infected the legitimate BitTorrent client Transmission, which was\r\ndeveloped by the same author. The HandBrake team said it does not share infrastructure with Transmission.\r\n“The HandBrake Team is independent of the Transmission Developers,” HandBrake said in its advisory. “The\r\nprojects share history in the sense that the same author created these apps but he is not part of the current\r\nHandBrake team of developers. We do not share our virtual machines with the Transmission project.”\r\nHandBrake also provided instructions for removing the Trojan from the Terminal application.\r\n“The Download Mirror Server is going to be completely rebuilt from scratch so downloads may be a bit slower\r\nthan usual while the primary picks up the load,” HandBrake said. “During this time, old versions of HandBrake\r\nwill not be available.”\r\nSource: https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/\r\nhttps://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/"
	],
	"report_names": [
		"125518"
	],
	"threat_actors": [],
	"ts_created_at": 1775791256,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/06156fa3e46b606cc10a3f22c19533fde4d48855.pdf",
		"text": "https://archive.orkl.eu/06156fa3e46b606cc10a3f22c19533fde4d48855.txt",
		"img": "https://archive.orkl.eu/06156fa3e46b606cc10a3f22c19533fde4d48855.jpg"
	}
}