RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
Threat ResearchApril 2, 2020

Hawkish applications lurking in your MacOS environment

macOS Blog 4 of 5: Catching the Proton Backdoor in your Video

Marijan Ralasic black white headshot
Marijan Ralasic, Former Solution Architect at ReversingLabsMarijan Ralasic
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
Catching the proton backdoor in your video

Let’s say you own a Mac, you read our blogs and you want to protect yourself. After installing an antivirus program, it suddenly detects your favorite video transcoder: HandBrake. As this is clearly a false positive, you decide to go about your way and ignore this detection. Well, you might have been infected with the Proton backdoor.

A backdoor is a vulnerability that gives the attacker unauthorized access to a system by bypassing normal security mechanisms. It is a threat that hides and works in the background, making it difficult to detect or remove. Red teams are using backdoors to gain access to systems from remote locations, steal personal information, install unwanted software, or take control of the entire computer.

The Proton threat was present on the HandBrake’s official download site between 02/May/2017 14:30 UTC and 06/May/2017 11:00 UTC. The user would unknowingly download the infected application and install it on their system. Upon running the application, the malicious copy of HandBrake would immediately ask for the admin password. This is strange behavior for a video transcoding application, but such requests are often ignored by the end-users. Proton would then exfiltrate the keychain containing all the passwords and pose as a backdoor for hackers. The Proton threat had the 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 SHA1 checksum that could have been compared against the checksum on the official web site, preventing the infection.

Proton sample detected by ReversingLabs solutions

Figure 1: Proton sample detected by ReversingLabs solutions

This is not the first time, nor the last time, we’re seeing Proton-like attacks. Proton already posed as Elmedia Player, using C&C servers registered as eltima[.]in / 5.196.42.123. Later on, a new threat emerged in the form of Calisto. The Calisto malware is a Mac backdoor that was created in 2016 but managed to remain under the radar until as late as 2018. The malware authors who created Calisto disguised the malware as the ninth version of Intego security for Mac, sample SHA1: 55800dc173d80a8a4ab7685b0a4f212900778fa0

Line graph: increasing Calisto detection rate

Figure 2: Increasing Calisto detection rate

These samples are just for the showcase, but what they show is there are similarities between various malware samples, and it’s only a question of time when a new threat will emerge. To protect yourself against backdoors you should increase awareness of their existence in the wild.

Never download email attachments or open links sent by people you don’t know. When you download files from the web, make sure they are coming from official sources, and compare checksums against officially listed ones. Be careful when visiting less secure sites, as they can contain a so-called “drive-by download” which can install malware on your computer simply by visiting a compromised web page. Remember, you are the first line of defense, and locking your backdoors can help you keep your environment safe.

For more information, please check our homepage or contact us directly.

Read about our Titanium Platform technology to counter these attacks

Download our eBook on The Destructive Objects Playbook

Keep learning

  • Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
  • Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
  • Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:Threat ResearchResearch

More Blog Posts

Claude AI adds PromptMink malware to crypto trading agent

Claude adds malware to crypto agent

PromptMink has evolved into a malicious dependency in a package that allows access to crypto wallets and funds.

Learn More about Claude adds malware to crypto agent
Claude adds malware to crypto agent
Graphalgo supply chain campaign respawned.

Graphalgo fake recruiter campaign returns

An attack targeting crypto developers has been respawned — with an LLC and new techniques.

Learn More about Graphalgo fake recruiter campaign returns
Graphalgo fake recruiter campaign returns
TeamPCP supply chain attack

The TeamPCP supply chain attack evolves

The malicious campaign started with Trivy and Checkmarx and has shifted to LiteLLM — and now telnix. Here's how.

Learn More about The TeamPCP supply chain attack evolves
The TeamPCP supply chain attack evolves
Malicious npm packages use fake install logs to load RAT

Fake install logs in npm packages load RAT

The final-stage malware in the Ghost campaign is a RAT designed to steal crypto wallets and sensitive data.

Learn More about Fake install logs in npm packages load RAT
Fake install logs in npm packages load RAT

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top