{
	"id": "3a38cc90-beb0-4d38-afe1-7c7d64fab314",
	"created_at": "2026-04-06T00:19:49.735325Z",
	"updated_at": "2026-04-10T03:21:39.709434Z",
	"deleted_at": null,
	"sha1_hash": "dbeee9c7964efeacccb1141bece7e2339dd17d29",
	"title": "Flashback (Trojan horse)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87630,
	"plain_text": "Flashback (Trojan horse)\r\nBy Contributors to Wikimedia projects\r\nPublished: 2012-04-05 · Archived: 2026-04-05 14:12:19 UTC\r\nFrom Wikipedia, the free encyclopedia\r\n(Redirected from Flashback (Trojan))\r\nOSX.FlashBack,\r\n[1]\r\n also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a\r\nTrojan horse affecting personal computer systems running Mac OS X.\r\n[2][3]\r\n The first variant of Flashback was\r\ndiscovered by antivirus company Intego in September 2011.[4]\r\nAccording to the Russian antivirus company Dr. Web, a modified version of the \"BackDoor.Flashback.39\" variant\r\nof the Flashback Trojan had infected over 600,000 Mac computers, forming a botnet that included 274 bots\r\nlocated in Cupertino, California.\r\n[5][6]\r\n The findings were confirmed one day later by another computer security\r\nfirm, Kaspersky Lab.\r\n[7]\r\n This variant of the malware was first detected in April 2012[8] by Finland-based computer\r\nsecurity firm F-Secure.\r\n[9][10]\r\n Dr. Web estimated that in early April 2012, 56.6% of infected computers were\r\nlocated within the United States, 19.8% in Canada, 12.8% in the United Kingdom and 6.1% in Australia.\r\n[6]\r\nThe original variant used a fake installer of Adobe Flash Player to install the malware, hence the name\r\n\"Flashback\".[4]\r\nA later variant targeted a Java vulnerability on Mac OS X. The system was infected after the user was redirected to\r\na compromised bogus site, where JavaScript code caused an applet containing an exploit to load. An executable\r\nfile was saved on the local machine, which was used to download and run malicious code from a remote location.\r\nThe malware also switched between various servers for optimized load balancing. Each bot was given a unique ID\r\nthat was sent to the control server.\r\n[6]\r\n The trojan, however, would only infect the user visiting the infected web\r\npage, meaning other users on the computer were not infected unless their user accounts had been infected\r\nseparately.\r\n[11]\r\nOracle, the company that develops Java, fixed the vulnerability exploited to install Flashback on February 14,\r\n2012.[8] However, at the time of Flashback's release, Apple maintained the Mac OS X version of Java and did not\r\nrelease an update containing the fix until April 3, 2012,[12] after the flaw had already been exploited to install\r\nFlashback on 600,000 Macs.[13] On April 12, 2015, the company issued a further update to remove the most\r\ncommon Flashback variants.[14] The updated Java release was only made available for Mac OS X Lion and Mac\r\nOS X Snow Leopard; the removal utility was released for Intel versions of Mac OS X Leopard in addition to the\r\ntwo newer operating systems. Users of older operating systems were advised to disable Java.[12] There are also\r\nsome third party programs to detect and remove the Flashback trojan.[13] Apple worked on a new process that\r\nwould eventually lead to a release of a Java Runtime Environment (JRE) for Mac OS X at the same time it would\r\nhttps://en.wikipedia.org/wiki/Flashback_(Trojan)\r\nPage 1 of 2\n\nbe available for Windows, Linux, and Solaris users.[15]\r\n As of January 9, 2014, about 22,000 Macs were still\r\ninfected with the Flashback trojan.[16]\r\nMac Defender\r\nLeap (computer worm)\r\n1. ^ This is the name used in Apple's built-in anti-malware software XProtect. Other antivirus software\r\nvendors may use different names.\r\n2. ^ 5 April 2012, Flashback Trojan botnet infects 600,000 Macs, Siliconrepublic\r\n3. ^ 5 April 2012, 600,000 infected Macs are found in a botnet, The Inquirer\r\n4. ^ Jump up to: a\r\n \r\nb\r\n September 26, 2011, Mac Flashback Trojan Horse Masquerades as Flash Player Installer\r\nPackage, Intego Security\r\n5. ^ Jacqui Cheng, 4 April 2012, Flashback Trojan reportedly controls half a million Macs and counting, Ars\r\nTechnica\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n 4 April 2012, Doctor Web exposes 550 000 strong Mac botnet Dr. Web\r\n7. ^ Chloe Albanesius, 6 April 2012, Kaspersky Confirms Widespread Mac Infections Via Flashback Trojan,\r\nPCMag\r\n8. ^ Jump up to: a\r\n \r\nb\r\n \"Half a million Mac computers 'infected with malware'\". BBC. April 5, 2012. Retrieved\r\nApril 5, 2012.\r\n9. ^ April 2, 2012, Mac Flashback Exploiting Unpatched Java Vulnerability F-Secure's News from the Lab\r\n10. ^ 11 April 2012, Apple crafting weapon to vanquish Flashback virus, Sydney Morning Herald\r\n11. ^ Kessler, Topher. \"How to remove the Flashback malware from OS X\". CNET.\r\n12. ^ Jump up to: a\r\n \r\nb\r\n \"About Flashback malware\". Apple. April 10, 2012. Retrieved April 12, 2012.\r\n13. ^ Jump up to: a\r\n \r\nb\r\n \"flashbackcheck.com\". Kaspersky. April 9, 2012. Archived from the original on August\r\n15, 2012. Retrieved April 12, 2012.\r\n14. ^ \"About Java for OS X Lion 2012-003\". Apple. April 12, 2012. Retrieved April 12, 2012.\r\n15. ^ \"Mac Security: A Myth?\". eSecurity Planet. April 13, 2012. Archived from the original on April 17, 2012.\r\nRetrieved April 16, 2012.\r\n16. ^ \"It's alive! Once-prolific Flashback trojan still infecting 22,000 Macs\". January 9, 2014. Retrieved\r\nJanuary 9, 2014.\r\nApple Delays, Hackers Play April 12, 2012\r\nSource: https://en.wikipedia.org/wiki/Flashback_(Trojan)\r\nhttps://en.wikipedia.org/wiki/Flashback_(Trojan)\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Flashback_(Trojan)"
	],
	"report_names": [
		"Flashback_(Trojan)"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434789,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dbeee9c7964efeacccb1141bece7e2339dd17d29.pdf",
		"text": "https://archive.orkl.eu/dbeee9c7964efeacccb1141bece7e2339dd17d29.txt",
		"img": "https://archive.orkl.eu/dbeee9c7964efeacccb1141bece7e2339dd17d29.jpg"
	}
}