{
	"id": "af3c8ad4-2729-416c-a1cc-696013f64096",
	"created_at": "2026-04-06T00:18:09.831742Z",
	"updated_at": "2026-04-10T03:30:33.118983Z",
	"deleted_at": null,
	"sha1_hash": "984261b46eca3c91be5cd27a717e2557d574b6bc",
	"title": "HandBrake Hacked! OSX/Proton (re)Appears",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3219698,
	"plain_text": "HandBrake Hacked! OSX/Proton (re)Appears\r\nArchived: 2026-04-05 14:24:43 UTC\r\nHandBrake Hacked!\r\n› osx/proton (re)appears\r\n5/06/2017\r\nlove these blog posts? support my tools \u0026 writing on patreon! Mahalo :)\r\nWant to play along? I've shared the malware, which can be downloaded here (password: infect3d). Please don't\r\ninfect yourself!\r\nBackground\r\nToday started like pretty much every other day in Hawaii, surf \u0026 beach ;)\r\nhttps://objective-see.com/blog/blog_0x1D.html\r\nPage 1 of 10\n\nHowever, around noon, Eric Holtam (@eholtam) tweeted the following:\r\nMahalo to @mikeymikey to notifying me about this tweet!\r\nHandbrake is an 'open-source video transcoder.' Heading over to their website (handbrake.fr), we can see they've\r\nadded a 'Security Alert' for Mac Users:\r\nhttps://objective-see.com/blog/blog_0x1D.html\r\nPage 2 of 10\n\nFollowing the url, links to a rather dire security alert, Mirror Download Server Compromised:\r\nSECURITY WARNING\r\nAnyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00\r\nUTC] needs to verify the SHA1 / 256 sum of the file before running it.\r\nAnyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have\r\n50/50 chance if you've downloaded HandBrake during this period.\r\nhttps://objective-see.com/blog/blog_0x1D.html\r\nPage 3 of 10\n\nYikes!\r\nThe security alert also provided a hash of the disk image (0935a43ca90c6c419a49e4f8f1d75e68cd70b274) that\r\nwas trojaned by the hackers.\r\nHopping over to VirusTotal, we can see that while this .dmg was submitted for analysis, no anti-virus engines are\r\ncurrently flagging it. No surprise there :|\r\nAnalysis\r\nOnce we have a copy of the infected .dmg (I've shared it here password: infect3d), analysis can commence. Since\r\nit's the weekend - I'm going to take the 'lazy' (efficient?) route and basically just run the infected application and\r\nsee what happens :)\r\nIn order to facilitate malware analysis I wrote a simple user-mode 'process monitor' library that allows us to easy\r\ntrack what application is doing - in terms of spawning other processes, etc:\r\nProcessMonitor* procMon = nil;\r\n//block\r\nProcessCallbackBlock block = ^(Process* newProcess)\r\n{\r\n  NSLog(@\"new process: %@\", newProcess);\r\n};\r\n//start monitoring!\r\nprocMon = [[ProcessMonitor alloc] init];\r\n[procMon start:block];\r\n//run loop\r\n[[NSRunLoop currentRunLoop] run];\r\nRunning this code and executing the infected Handbrake application, we can see exactly what's going on:\r\nhttps://objective-see.com/blog/blog_0x1D.html\r\nPage 4 of 10\n\n[new process]\r\npid=1368\r\nbinary=/Volumes/HandBrake/HandBrake.app/Contents/MacOS/HandBrake\r\nsignatureStatus = \"-67062 (unsigned)\r\n[new process]\r\npid=1370\r\nbinary=path=/bin/sh\r\nargs: \"-c\", \"pgrep -x activity_agent \u0026\u0026 echo Queue.hbqueue\"\r\n[new process]\r\npid=1371\r\nbinary=/usr/bin/unzip\r\nargs: \"-P\", \"qzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ\",\r\n\"/Volumes/HandBrake/HandBrake.app/Contents/Resources/HBPlayerHUDMainController.nib\", \"-d\", \"/tmp\"\r\n[new process]\r\npid=1372\r\nbinary=/usr/bin/open\r\nargs: \"/tmp/HandBrake.app\"\r\nSo yah, when run, the infected Handbrake application:\r\n1. unzips Contents/Resources/HBPlayerHUDMainController.nib to /tmp/HandBrake.app. This 'nib' is a\r\npassword protected zip file who's password is:\r\nqzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ\r\n2. launches (opens) /tmp/HandBrake.app\r\nOnce the /tmp/HandBrake.app is launched, it displays a (fake) authentication popup - which is how the malware\r\nattempts to elevate its privileges:\r\nhttps://objective-see.com/blog/blog_0x1D.html\r\nPage 5 of 10\n\nIf the user is tricked into providing a user name and password the malware will install itself (/tmp/HandBrake.app)\npersistently as: 'activity_agent.app'.\nThankful, BlockBlock can alert us of this fact:\nDumping the Launch Agent plist file (fr.handbrake.activity_agent.plist), we can see the malware has been set to\nautomatically start each time the user logs in:\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\nKeepAlive ...\nhttps://objective-see.com/blog/blog_0x1D.html\nPage 6 of 10\n\nProgramArguments/Users/user/Library/RenderFiles/activity_agent.app/\n Contents/MacOS/activity_agentRunAtLoad According to the HandBrake advisory, the malware's peristent component, activity_agent.app is a 'a new variant of\nOSX.PROTON'\nProton (variant 'A') was discussed earlier this year by the media (for example, see: \"Hackers Selling Undetectable\nProton Malware for macOS in 40 BTC\")\nThough Apple released an XProtect signature for it, the sample was never publicly shared. However, the malware\nauthor was kind enough to describe ('advertise') its capabilties:\nWith the HandBrake hack, finally now we have a variant for analysis :). Initial triage confirms, yes this a variant\nhttps://objective-see.com/blog/blog_0x1D.html\nPage 7 of 10\n\nof OSX/Proton ('B'), although some of the features found in the 'A' variant, (such as the ability to take screenshots)\r\nare not present.\r\nAgain, unsurprisingly this new variant of OSX/Proton is also currently undetected by any anti-virus engines on\r\nVirusTotal:\r\nInterested in the technical details of OSX/Proton? I wrote it in a new blog, \"OSX/Proton.B (a brief analysis, at 6\r\nmiles up)\".\r\nConclusions\r\nAs with KeRanger and Keydnap, hackers targeted an official distribution website of legitimate macOS software.\r\nWith access to HandBrake's mirror, they trojaned the legitimate application, meaning any user who downloaded\r\nthe application would inadvertently infect themselves!\r\nLuckily the trojaned disk image was only online for a few days. However as is often (always!?) the case, no anti-virus products flagged the malware :( So if you recently download HandBrake, unless you were running\r\nsomething like BlockBlock you'd likely have been infected.\r\nTo check if you're infected, look for the following:\r\na process named 'activity_agent'\r\nan application name 'activity_agent.app in ~/Library/RenderFiles/\r\na plist file: '~/Library/LaunchAgents/fr.handbrake.activity_agent.plist\r\nhttps://objective-see.com/blog/blog_0x1D.html\r\nPage 8 of 10\n\nApple has now also pushed out an XProtect signature, meaning that all new infections should be twarted. Hooray!\r\n$ cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara\r\nprivate rule Macho\r\n{\r\n  meta:\r\n  description = \"private rule to match Mach-O binaries\"\r\n  condition:\r\n  uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf\r\n  or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca\r\n}\r\nrule XProtect_OSX_Proton_B\r\n{\r\n  meta:\r\n  description = \"OSX.Proton.B\"\r\n  condition:\r\n  Macho and filesize \u003c 800000 and hash.sha1(0, filesize) ==\r\n    \"a8ea82ee767091098b0e275a80d25d3bc79e0cea\"\r\n}\r\nOk, so kudos to Apple for the quick turn around on signatures....but the signature is:\r\njust a SHA-1 hash\r\nmatches on the trojaned Handbrake binary (HandBrake.app/Contents/MacOS/HandBrake on the .dmg)\r\n$ shasum -a 1 /Volumes/HandBrake/HandBrake.app/Contents/MacOS/HandBrake\r\na8ea82ee767091098b0e275a80d25d3bc79e0cea\r\n/Volumes/HandBrake/HandBrake.app/Contents/MacOS/HandBrake\r\nThis means if the malware authors used any other infection vector, or even just recompiled the trojaned binary,\r\nthis signature would no longer flag the malware :/ Do people still say 'yolo'?\r\nAnd even if you don't have source code, you can just flip a single bit in the binary to thwart the signature. To test\r\nthis, I changed the final byte in HandBrake.app/Contents/MacOS/HandBrake from an 0x00 to 0xFF. While this\r\ndoesn't impact functionality of the binary, it changes its SHA-1 hash, meaning the malware is no longer blocked\r\nby XProtect. The following, first shows XProtect 'blocking' OSX/Proton.B. However, a second modified version\r\nis allowed to run, as the signature no longer matches:\r\nhttps://objective-see.com/blog/blog_0x1D.html\r\nPage 9 of 10\n\nSource: https://objective-see.com/blog/blog_0x1D.html\r\nhttps://objective-see.com/blog/blog_0x1D.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://objective-see.com/blog/blog_0x1D.html"
	],
	"report_names": [
		"blog_0x1D.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434689,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/984261b46eca3c91be5cd27a717e2557d574b6bc.pdf",
		"text": "https://archive.orkl.eu/984261b46eca3c91be5cd27a717e2557d574b6bc.txt",
		"img": "https://archive.orkl.eu/984261b46eca3c91be5cd27a717e2557d574b6bc.jpg"
	}
}