{ "id": "7e04a919-1946-4229-960e-ccf4c6037819", "created_at": "2026-04-06T00:11:08.427184Z", "updated_at": "2026-04-10T03:37:09.019863Z", "deleted_at": null, "sha1_hash": "d37a340c7fae51eb700cc8b673e008f5a5ee09c6", "title": "OSX/Proton spreading again through supply-chain attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 686232, "plain_text": "OSX/Proton spreading again through supply-chain attack\r\nBy ESET Research\r\nArchived: 2026-04-05 13:20:48 UTC\r\nESET Research\r\nOur researchers noticed that the makers of the Elmedia Player software have been distributing a version of their app\r\ntrojanized with the OSX/Proton malware.\r\n20 Oct 2017  •  , 5 min. read\r\nOn 19 October 2017, ESET researchers noticed that Eltima, the makers of the Elmedia Player software, were distributing a\r\nversion of their application trojanized with the OSX/Proton malware on their official website. ESET contacted Eltima as\r\nsoon as the situation was confirmed. Eltima was very responsive and maintained an excellent communication with us\r\nthroughout the incident.\r\nTimeline\r\n2017-10-19 : Trojanized package confirmed\r\n2017-10-19 10:35am EDT: Eltima informed via email\r\n2017-10-19 2:25pm EDT: Eltima acknowledged the issue and initiated remediation efforts\r\n2017-10-19 3:10pm EDT: Eltima confirms their infrastructure is cleaned up and serving the legitimate applications\r\nagain\r\n2017-10-19 10:12am EDT: Eltima publishes an announcement about the event\r\n2017-10-20 12:15pm EDT: Added references to Folx that was also distributed with the Proton malware\r\nNote: This blog was initially posted despite our research being incomplete. Hence, this information is preliminary and the\r\nblogpost will be updated as new facts emerge.\r\nAm I compromised?\r\nESET advises anyone who downloaded Elmedia Player or Folx software recently to verify if their system is compromised\r\nby testing the presence of any of the following files or directories:\r\n/tmp/Updater.app/\r\n/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist\r\n/Library/.rand/\r\n/Library/.rand/updateragent.app/\r\nIf any of them exists, it means the trojanized Elmedia Player or Folx application was executed and that OSX/Proton is most\r\nlikely running.\r\nIf you have downloaded that software on October 19th before 3:15pm EDT and run it, you are likely compromised.\r\nAs far as we know, the trojanized version of the application was only downloadable from the Eltima website, between 08:00\r\nand 15:15 EDT on 19 October 2017. The built-in automatic update mechanism seems unaffected.\r\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nPage 1 of 8\n\nWhat does the malicious payload do to a compromised system?\r\nOSX/Proton is a backdoor with extensive data-stealing capabilities. It gains persistence on the system and can steal the\r\nfollowing:\r\nOperating system details: hardware serial number (IOPlatformSerialNumber), full name of the current user,\r\nhostname, System Integrity Protection status (csrutil status), gateway information (route -n get default | awk\r\n'/gateway/ { print $2 }'), current time \u0026 timezone\r\nBrowser information from Chrome, Safari, Opera and Firefox: history, cookies, bookmarks, login data, etc.\r\nCryptocurrency wallets:\r\nElectrum: ~/.electrum/wallets\r\nBitcoin Core: ~/Library/Application Support/Bitcoin/wallet.dat\r\nArmory: ~/Library/Application Support/Armory\r\nSSH private data (entire .ssh content)\r\nmacOS keychain data using a modified version of chainbreaker\r\nTunnelblick VPN configuration (~/Library/Application Support/Tunnelblick/Configurations)\r\nGnuPG data (~/.gnupg)\r\n1Password data (~/Library/Application Support/1Password 4 and ~/Library/Application Support/1Password 3.9)\r\nList of all installed applications.\r\nHow do I clean my system?\r\nAs with any compromise of an administrator account, a full OS reinstall is the only sure way to get rid of the malware.\r\nVictims should also assume at least all the secrets outlined in the previous section are compromised and take appropriate\r\nmeasures to invalidate them.\r\nSupply-chain attack revisited on the Mac\r\nLast year, the Mac Bittorrent client Transmission was abused twice to spread malware, first the OSX/KeRanger ransomware\r\nfollowed by OSX/Keydnap password stealer. Then this year, the Handbrake video-transcoder application was found bundled\r\nwith OSX/Proton.\r\nToday, ESET discovered another popular Mac software package being used to spread OSX/Proton: Elmedia Player, a media\r\nplayer that reached the 1,000,000 users milestone this summer:\r\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nPage 2 of 8\n\n\"\u003e \"\r\nwidth=\"640\" height=\"722\" /\u003e\r\nTechnical analysis\r\nOSX/Proton is a RAT (Remote Access Trojan) sold as a kit on underground forums. It was very briefly documented by\r\nSixgill earlier this year and then further analyzed by Thomas Reed at MalwareBytes, Amit Serper at CyberReason and\r\nPatrick Wardle at Objective-See.\r\nIn the current case of Eltima trojanized software, the attacker built a signed wrapper around the legitimate Elmedia Player\r\nand Proton. In fact, we observed what seems to be real-time repackaging and signing of the wrappers, all with the same\r\nvalid Apple Developer ID. See the history of currently known samples below. Eltima and ESET confirmed they are working\r\nwith Apple to invalidate the Developer ID used to sign the malicious application. (Apple revoked the certificate.)\r\n(timestamps are all in EDT timezone)\r\nClean application:\r\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nPage 3 of 8\n\nTimestamp Developper ID SHA-1\r\nTimestamp=Jul 24,\r\n2017, 4:56:24 AM\r\nAuthority=Developer ID Application:\r\nELTIMA LLC (N7U4HGP254)\r\n0603353852e174fc0337642e3957c7423f182a8c\r\nTrojanized application:\r\nTimestamp Developper ID SHA-1 (dmg file)\r\nTimestamp=Oct 19,\r\n2017, 8:00:05 AM\r\nAuthority=Developer ID Application:\r\nClifton Grimm (9H35WM5TA5)\r\ne9dcdae1406ab1132dc9d507fd63503e5c4d41d9\r\nTimestamp=Oct 19,\r\n2017, 12:22:24 PM\r\nAuthority=Developer ID Application:\r\nClifton Grimm (9H35WM5TA5)\r\n8cfa551d15320f0157ece3bdf30b1c62765a93a5\r\nTimestamp=Oct 19,\r\n2017, 2:00:38 PM\r\nAuthority=Developer ID Application:\r\nClifton Grimm (9H35WM5TA5)\r\n0400b35d703d872adc64aa7ef914a260903998ca\r\nFirst, the wrapper launches the real Elmedia Player application stored in the Resources folder of the application:\r\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nPage 4 of 8\n\nAnd finally extracts \u0026 launches OSX/Proton:\r\nAs seen in previous cases, OSX/Proton shows a fake Authorization window to gain root privileges:\r\nPersistance\r\nOSX/Proton ensures persistence by adding a LaunchAgent for all users when the administrator types their password. It\r\ncreates the following files on the system:\r\n/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist\r\n/Library/.rand/updateragent.app\r\n$ plutil -p /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist\r\n{\r\n \"ProgramArguments\" =\u003e [\r\n 0 =\u003e \"/Library/.rand/updateragent.app/Contents/MacOS/updateragent\"\r\n ]\r\n \"KeepAlive\" =\u003e 1\r\n \"RunAtLoad\" =\u003e 1\r\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nPage 5 of 8\n\n\"Label\" =\u003e \"com.Eltima.UpdaterAgent\"\r\n}\r\nBackdoor commands\r\nAs mentioned at the beginning of the post, OSX/Proton is a backdoor with extensive information stealing capabilities. The\r\nbackdoor component we observed supports the following commands:\r\narchive Archive files using zip\r\ncopy Copy file locally\r\ncreate Create directory or file locally\r\ndelete Delete file locally\r\ndownload Download file from a URL\r\nfile_search Search for files (executes find / -iname \\\"%@\\\" 2\u003e /dev/null)\r\nforce_update Self-update with digital signature validation\r\nphonehome\r\nremote_execute Execute the binary file inside a .zip file or a given shell command\r\ntunnel Create SSH tunnel using port 22 or 5900\r\nupload Upload file to C\u0026C server\r\nC\u0026C server\r\nProton uses a C\u0026C domain that mimics the legitimate Eltima domain, which is consistent with the Handbrake case:\r\nLegitimate domain Proton C2 domain\r\nEltima eltima.com eltima[.]in\r\nHandbrake handbrake.fr handbrakestore[.]com\r\nhandbrake[.]cc\r\nIOCs\r\nURL distributing the trojanized application at the time of discovery:\r\nhxxps://mac[.]eltima[.]com/download/elmediaplayer.dmg\r\nhxxp://www.elmedia-video-player.[.]com/download/elmediaplayer.dmg\r\nhxxps://mac.eltima[.]com/download/downloader_mac.dmg\r\nC\u0026C servers\r\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nPage 6 of 8\n\neltima[.]in / 5.196.42.123 (domain registered 2017-10-15)\r\nHashes\r\nPath SHA-1\r\nESET\r\nDetection\r\nname\r\nDescription\r\nElmedia\r\nPlayer.app/Contents/Resources/.pl.zip\r\n9E5378165BB20E9A7F74A7FCC73B528F7B231A75\r\nmultiple\r\nthreats\r\nZIP archive\r\nwith the\r\nProton\r\nmalware\r\nand Python\r\nscripts\r\n10A09C09FD5DD76202E308718A357ABC7DE291B5\r\nmultiple\r\nthreats\r\nZIP archive\r\nwith the\r\nProton\r\nmalware\r\nand Python\r\nscripts\r\nElmedia\r\nPlayer.app/Contents/MacOS/Elmedia\r\nPlayer\r\nC9472D791C076A10DCE5FF0D3AB6E7706524B741 OSX/Proton.D\r\nLauncher\r\n(or\r\nwrapper)\r\n30D77908AC9D37C4C14D32EA3E0B8DF4C7E75464 OSX/Proton.D\r\nLauncher\r\n(or\r\nwrapper)\r\nUpdater.app/Contents/MacOS/Updater 3EF34E2581937BABD2B7CE63AB1D92CD9440181A OSX/Proton.C\r\nProton\r\nmalware,\r\nnot signed\r\nEF5A11A1BB5B2423554309688AA7947F4AFA5388 OSX/Proton.C\r\nProton\r\nmalware,\r\nnot signed\r\nHat tip to Michal Malik, Anton Cherepanov, Marc-Étienne M. Léveillé, Thomas Dupuy \u0026 Alexis Dorais-Joncas for their\r\nwork on this investigation.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nPage 7 of 8\n\nSource: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/" ], "report_names": [ "osx-proton-supply-chain-attack-elmedia" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d37a340c7fae51eb700cc8b673e008f5a5ee09c6.pdf", "text": "https://archive.orkl.eu/d37a340c7fae51eb700cc8b673e008f5a5ee09c6.txt", "img": "https://archive.orkl.eu/d37a340c7fae51eb700cc8b673e008f5a5ee09c6.jpg" } }