{
	"id": "403b873f-f299-4d00-9bf0-cc1f85a19a90",
	"created_at": "2026-04-06T00:14:08.939252Z",
	"updated_at": "2026-04-10T03:20:24.079546Z",
	"deleted_at": null,
	"sha1_hash": "fa0058104e254e2a79fef075661bed004520969c",
	"title": "OSX.Proton spreading through fake Symantec blog | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 486233,
	"plain_text": "OSX.Proton spreading through fake Symantec blog | Malwarebytes\r\nLabs\r\nBy Thomas Reed\r\nPublished: 2017-11-19 · Archived: 2026-04-05 20:09:57 UTC\r\nSunday night, a series of tweets from security researcher @noarfromspace revealed a new variant of the\r\nOSX.Proton malware, spreading in a concerning new method—spoofing security company Symantec’s blog.\r\nMethod of infection\r\nThe malware is being promoted via a fake Symantec blog site at symantecblog[dot]com. The site is a good\r\nimitation of the real Symantec blog, even mirroring the same content. The registration information for the domain\r\nappears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The\r\nemail address used to register the domain is a dead giveaway, however:\r\nhttps://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/\r\nPage 1 of 7\n\nEven more suspicious is the certificate used by the site. It is legitimate SSL certificate, but was issued by Comodo\r\nrather than Symantec’s own certificate authority.\r\nThe fake site contains a blog post about a supposed new version of CoinThief, a piece of malware from 2014. The\r\nfake post claims that a new variant of CoinThief has been spotted. In fact, as far as I’ve been able to determine,\r\nthis is a made-up story, and no such new variant of CoinThief actually exists.\r\nThe fake post promotes a program called “Symantec Malware Detector,” supposedly to detect and remove the\r\nmalware. No such program actually exists.\r\nUnfortunately, links to the fake post have been spreading on Twitter. Some of the accounts tweeting the link\r\nappear to be fake accounts, but others seem to be legitimate. Given the fact that the primary goal of the Proton\r\nmalware is to steal passwords, these could be hacked accounts whose passwords were compromised in a previous\r\nProton outbreak. However, they could also simply be the result of people being tricked into thinking the fake blog\r\npost is real.\r\nUsers who download and run the “Symantec Malware Detector” will instead be infected with malware.\r\nhttps://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/\r\nPage 2 of 7\n\nMalware behavior\r\nWhen run, the malicious Symantec Malware Detector application displays a very simple window, using the\r\nSymantec logo:\r\nIf the user quits the application at this point, the malware does not actually get installed. However, let’s be honest\r\n—if you’ve been tricked into downloading and opening this application, you probably won’t bail out at this point.\r\nClicking the “Check” button results in a request for an admin password:\r\nThe average Mac user has seen these kinds of password request many times before, so again, this is unlikely to\r\nraise suspicions among users who have gotten this far. In reality, this is a very well-done fake and will give the\r\nmalware your password. (Unlike the legitimate password request this is designed to imitate, which does not give\r\nthe requesting software the user’s password.)\r\nIf an admin password is provided, the application displays a progress bar claiming to be scanning the computer.\r\nhttps://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/\r\nPage 3 of 7\n\nIn reality, however, the application has installed the Proton malware.\r\nThe malware will begin capturing information, including logging the user’s admin password in clear text, among a\r\nlot of other personally-identifying information (PII) to a hidden file:\r\n[...] 2017-11-19T20:29:19.801Z ********* test test test%E2%80%99s Mac testpw 10.12.6 en_US\r\nThe malware also captures and exfiltrates things like keychain files, browser auto-fill data, 1Password vaults, and\r\nGPG passwords. Since the malware has phished the user’s password, the hackers will be able to decrypt the\r\nkeychain files at a minimum.\r\nIndicators of compromise\r\nThe Symantec Malware Detector application is, as far as I’m able to determine, a completely made-up name. If\r\nyou see such an application—perhaps in the Downloads folder, or perhaps in the Applications folder, depending\r\non where the user puts it—it should be deleted.\r\nhttps://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/\r\nPage 4 of 7\n\nIf you are unsure of whether the application is actually malicious, you can check the code signature. Enter the\r\nfollowing command in the Terminal, substituting the actual path:\r\ncodesign -dvvv \"path/to/Symantec Malware Detector.app\"\r\nThe malicious application has been signed by someone named Sverre Huseby, using a certificate with a team\r\nidentifier of E224M7K47W. Anything signed with this certificate should be considered malicious.\r\nOnce this malicious “dropper” application has been run, the following paths will be found on the system:\r\n/Library/LaunchAgents/com.apple.xpcd.plist /Library/.cachedir/ /Library/.random/\r\nThe .random directory holds the malicious Proton executable, which is kept running by the com.apple.xpcd.plist\r\nlaunch agent. The .cachedir folder contains data that has been or will be exfiltrated.\r\nIn addition to these files, the /private/etc/sudoers file will have been modified. The following line will have been\r\nadded to the end:\r\nDefaults !tty_tickets\r\nThat line should be removed from the sudoers file.\r\nFortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will\r\nprevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do\r\nanything to protect a machine that is already infected.\r\nImplications\r\nhttps://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/\r\nPage 5 of 7\n\nMalwarebytes for Mac will detect and remove Proton infections for free. If you find your Mac to be infected, it’s\r\nquite easy to remove the malware. However, removing the malware is only a part of the solution.\r\nSince Proton is designed to steal login credentials, you will need to take some emergency actions post-infection.\r\nYou should treat all online passwords as compromised and change them all. Be sure, while you’re at it, to use\r\ndifferent passwords on every site, and use a password manager (such as 1Password or LastPass) to keep track of\r\nthem. Since 1Password vaults are a target of Proton, be sure that you don’t store your password manager’s master\r\npassword in your keychain or anywhere else on the computer. That should be the one and only password that you\r\nmemorize, and it should be strong.\r\nYou should also enable two-factor authentication on every account that will allow you to do so. That will\r\nminimize the impact of such breaches in the future by ensuring that a hacker will need more than just your\r\npassword to access your accounts.\r\nIn addition to passwords, you should consider any other information that may have been part of the compromise.\r\nFor example, if you store credit card numbers or other sensitive data in the keychain, it should be treated as\r\ncompromised and you should respond accordingly.\r\nAs always, if the machine that was compromised was issued to you by your employer, or has company data on it,\r\nyou should notify IT immediately. Failure to do so could lead to a very serious breach of your company’s systems.\r\nConclusion\r\nProton has been circulating for quite some time after its initial appearance in March. It has previously been\r\ndistributed via a compromise of the Handbrake application and a similar compromise of a couple Eltima Software\r\napplications. It is highly likely that Proton will continue to circulate, and similar incidents will continue to occur.\r\nProton illustrates an increasing problem in the Mac community. The prevailing attitude that you can avoid Mac\r\nmalware if you’re careful enough is failing in the face of supply chain attacks, such as the hacks of the Handbrake\r\nand Eltima Software systems.\r\nFurther, so-called “fake news” being used to distribute malware is a highly dangerous threat. Many people these\r\ndays are looking to download malware removal software for the Mac, due to the increasing prevalence of\r\nannoying Mac adware. Unfortunately, it is often the case that such software will be downloaded after a search that\r\ngives questionable results, or after seeing a recommendation from a hacked or fake account on social media or\r\nforums.\r\nMacs are the targets of an increasing amount of malware. They can no longer be assumed to be safe. The old\r\nadvice that “Macs don’t get viruses,” which can still be found echoing in many Mac-centric forums, has never\r\nbeen true, and this is becoming increasingly obvious to those following such events. Do not fall victim due to a\r\nfalse sense of security caused by the fact that you have a Mac!\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nhttps://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/\r\nPage 6 of 7\n\nSource: https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/\r\nhttps://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/"
	],
	"report_names": [
		"osx-proton-spreading-through-fake-symantec-blog"
	],
	"threat_actors": [],
	"ts_created_at": 1775434448,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa0058104e254e2a79fef075661bed004520969c.pdf",
		"text": "https://archive.orkl.eu/fa0058104e254e2a79fef075661bed004520969c.txt",
		"img": "https://archive.orkl.eu/fa0058104e254e2a79fef075661bed004520969c.jpg"
	}
}