{
	"id": "c2aa89e7-6fbc-4068-a07e-aa8fed5dfbd7",
	"created_at": "2026-04-06T00:07:46.939066Z",
	"updated_at": "2026-04-10T03:21:54.737461Z",
	"deleted_at": null,
	"sha1_hash": "ddb1fb480165f6c2e6031306b59cecbbf2909415",
	"title": "OSX/Keydnap spreads via signed Transmission application",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 213877,
	"plain_text": "OSX/Keydnap spreads via signed Transmission application\r\nBy ESET Research\r\nArchived: 2026-04-05 18:54:16 UTC\r\nESET Research\r\nDuring the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”.\r\nIt spread via a recompiled version of the otherwise legitimate open source BitTorrent client application\r\nTransmission and distributed on their official website.\r\n30 Aug 2016  •  , 6 min. read\r\nLast month ESET researchers wrote an article about a new OS X malware called OSX/Keydnap, built to steal the\r\ncontent of OS X’s keychain and maintain a permanent backdoor. At that time of the analysis, it was unclear how\r\nvictims were exposed to OSX/Keydnap. To quote the original article: “It could be through attachments in spam\r\nmessages, downloads from untrusted websites or something else.”\r\nDuring the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”.\r\nIt spread via a recompiled version of the otherwise legitimate open source BitTorrent client application\r\nTransmission and distributed on their official website.\r\nInstant response from the Transmission team\r\nLiterally minutes after being notified by ESET, the Transmission team removed the malicious file from their web\r\nserver and launched an investigation to identify how this happened. At the time of writing, it was impossible to tell\r\nexactly when the malicious file was made available for download. According to the signature, the application\r\nbundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise\r\nanyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if\r\ntheir system is compromised by testing the presence of any of the following file or directory:\r\n/Applications/Transmission.app/Contents/Resources/License.rtf\r\n/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\r\n$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\r\n$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\r\n$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\r\n/Library/Application Support/com.apple.iCloud.sync.daemon/\r\n$HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist\r\nIf any of them exists, it means the malicious Transmission application was executed and that Keydnap is most\r\nlikely running. Also note that the malicious disk image was named Transmission2.92.dmg while the legitimate one\r\nis Transmission-2.92.dmg (notice the hyphen).\r\nhttps://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/\r\nPage 1 of 6\n\nSimilarity with KeRanger\r\nIf this modus operandi sounds familiar, you are totally correct. In March 2016, Palo Alto Networks published a\r\nblog post warning about the first OS X ransomware observed. In fact, Keydnap used the same technique to spread\r\nitself.\r\nIn both cases, a malicious block of code is added to the main function of the Transmission application. The code\r\nresponsible for dropping and running the malicious payload is astonishingly the same.\r\nTransmission’s main function dropping OSX/KeRanger\r\nhttps://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/\r\nPage 2 of 6\n\nTransmission’s main function dropping OSX/Keydnap\nJust like in the KeRanger case, a legitimate code signing key was used to sign the malicious Transmission\napplication bundle. It’s different from the legitimate Transmission certificate, but is still signed by Apple and\nbypasses Gatekeeper protection.\n# Malicious Transmission.app\n$ codesign -dvvv /Volumes/Transmission/Transmission.app\nExecutable=/Volumes/Transmission/Transmission.app/Contents/MacOS/Transmission\nIdentifier=org.m0k.transmission\nFormat=app bundle with Mach-O thin (x86_64)\nCodeDirectory v=20200 size=6304 flags=0x0(none) hashes=308+3 location=embedded\nHash type=sha1 size=20\nCandidateCDHash sha1=37ffe70260919ee70e9f2a601d5ad00e2dd5a011\nHash choices=sha1\nCDHash=37ffe70260919ee70e9f2a601d5ad00e2dd5a011\nSignature size=4255\nAuthority=Developer ID Application: Shaderkin Igor (836QJ8VMCQ)\nAuthority=Developer ID Certification Authority\nAuthority=Apple Root CA\nSigned Time=Aug 28, 2016, 12:09:55 PM\nInfo.plist entries=38\nTeamIdentifier=836QJ8VMCQ\nSealed Resources version=2 rules=12 files=331\nInternal requirements count=1 size=212# Clean Transmission.app $ codesign -dvvv /Volumes/Transmission/Transmi\nhttps://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/\nPage 3 of 6\n\nExecutable=/Volumes/Transmission/Transmission.Identifier=org.m0k.transmission Format=app bundle with Mach-O thin (x86_64)CodeDirectory v=20200 size=6304 flags=0x0(noneHash type=sha1 size=20 CandidateCDHash sha1=a68d09161742573b09a17b8aeHash choices=sha1 CDHash=a68d09161742573b09a17b8aef05f918a1cebcaSignature size=8561 Authority=Developer ID Application: **Authority=Developer ID Certification AuthorityAuthority=Apple Root CA Timestamp=Mar 6, 2016, 3:01:41 PM Info.plist entries=38 TeamIdentifier=5DPYRBHEAR Sealed Resources version=2 rules=12 files=328\u003cInternal requirements count=1 size=180 ESET has notified Apple about compromised code signing key.\nBeside the distribution method, Keydnap and KeRanger features some similarity in its code such as the C\u0026C URL\nresource path and parameter.\nKeRanger: /osx/ping?user_id=%s\u0026uuid=%s\u0026model=%s\nKeydnap: /api/osx?bot_id=%s\u0026action=ping\u0026data=%s (parameters as POST data, encrypted with RC4)\nKeydnap now at version 1.5\nWhile reporting to the C\u0026C server, Keydnap included an internal version. The one we observed in the new binary\nis 1.5.\nIt is still packed with the modified UPX described in our first article about Keydnap. The patch we published on\nGithub to unpack the executable file still works with the new variant.\nA significant change in the new version is the presence of a standalone Tor client. This enables Keydnap to reach its\nonion-routed C\u0026C server without the need of a Tor2Web relay such as onion.to.\nInside Keydnap, curl is set to use the local Tor client as a proxy\nThere is only one additional command compared to the previous version we analyzed. This new command, with id\n10, allows the C\u0026C server to be set to a different URL and saves it on the disk.\nThe RC4 key used to encrypt HTTP POST data and decrypt the response changed to \"u-4\u0026LpZ!6Kgu^=$a\".\nThe hardcoded C\u0026C URL is now hxxp://t4f2cocitdpqa7tv.onion/api/osx\nhttps://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/\nPage 4 of 6**\n\nHow to remove OSX/Keydnap\r\nTo remove Keydnap v1.5, start by quitting Transmission. Then, in Activity Monitor, kill processes with any of the\r\nfollowing names:\r\n- icloudproc\r\n- License.rtf\r\n- icloudsyncd\r\n- /usr/libexec/icloudsyncd -launchd netlogon.bundle\r\nRemove the following files and directories:\r\n- /Library/Application Support/com.apple.iCloud.sync.daemon/\r\n- /Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\r\n- /Users/$USER/Library/Application Support/com.apple.iCloud.sync.daemon/\r\n- /Users/$USER/Library/Application Support/com.geticloud/\r\n- /Users/$USER/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\r\n- /Users/$USER/Library/LaunchAgents/com.geticloud.icloud.photo.plist\r\nRemove Transmission from your system and redownload it from a trusted source. The Transmission website and\r\nbinaries are now hosted on Github. You can verify the hash and the signature of the legitimate binary package with:\r\n- \"shasum -a 256\" and compare with the one on the site and\r\n- \"codesign -dvvv\" and verify if is signed by \"Digital Ignition LLC\" with team identifier 5DPYRBHEAR.\r\nIOCs\r\nTransmission bundle\r\nhttps://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/\r\nPage 5 of 6\n\nSHA-1 Filename ESET Detection name\r\n1ce125d76f77485636ecea330acb038701ccc4ce Transmission2.92.dmg OSX/Keydnap.A\r\nOSX/Keydnap dropper\r\nSHA-1 Filename ESET Detection name\r\ne0ef6a5216748737f5a3c8d08bbdf204d039559e Transmission OSX/TrojanDropper.Agent.A\r\nOSX/Keydnap backdoor\r\nSHA-1\r\nESET Detection\r\nname\r\nC\u0026C Version\r\n8ca03122ee73d3e522221832872b9ed0c9869ac4 OSX/Keydnap.A hxxp://t4f2cocitdpqa7tv.onion 1.5\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/\r\nhttps://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"
	],
	"report_names": [
		"osxkeydnap-spreads-via-signed-transmission-application"
	],
	"threat_actors": [],
	"ts_created_at": 1775434066,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ddb1fb480165f6c2e6031306b59cecbbf2909415.pdf",
		"text": "https://archive.orkl.eu/ddb1fb480165f6c2e6031306b59cecbbf2909415.txt",
		"img": "https://archive.orkl.eu/ddb1fb480165f6c2e6031306b59cecbbf2909415.jpg"
	}
}