Eleanor is a backdoor targeting macOS, first discovered in 2016. Eleanor is a macOS backdoor that was distributed through a fake application called EasyDoc Converter, which claimed to be a file format conversion utility. Instead of converting documents, it installed a Tor hidden service on the victim's Mac, giving attackers anonymous remote access through the Tor network. Eleanor provides attackers with full control of the infected Mac including the ability to execute commands, browse and steal files, capture images through the webcam, and install additional malware. The use of Tor for its command-and-control infrastructure makes the attacker's identity and location virtually untraceable. CoreLock detects this threat using CoreLock detects Eleanor through network monitoring for Tor hidden service activity and onion routing connections from unauthorized processes, process behavioral analysis identifying hidden PHP web servers running without user authorization, file system scanning for Tor configuration files and binaries outside of legitimate Tor Browser installations, and YARA rules matching known Eleanor backdoor component signatures.
Also known as: OSX.Eleanor, Backdoor.MAC.Eleanor
Eleanor is a macOS backdoor that was distributed through a fake application called EasyDoc Converter, which claimed to be a file format conversion utility. Instead of converting documents, it installed a Tor hidden service on the victim's Mac, giving attackers anonymous remote access through the Tor network. Eleanor provides attackers with full control of the infected Mac including the ability to execute commands, browse and steal files, capture images through the webcam, and install additional malware. The use of Tor for its command-and-control infrastructure makes the attacker's identity and location virtually untraceable.
Distributed as a fake file converter application called EasyDoc Converter on reputable Mac software sites like MacUpdate
Downloaded from third-party software download portals that did not verify application authenticity
Social engineering through forum posts and comments recommending the fake converter for document format problems
The application was not signed with an Apple Developer certificate but could still be installed by right-clicking and selecting Open
An application called EasyDoc Converter in /Applications/ that does not actually convert any files
Tor process running in Activity Monitor (look for 'tor' or processes on port 9050/9150)
A hidden web server (PHP-based) running locally, visible as 'httpd' or 'php' processes you did not start
Outbound connections to Tor network entry nodes on unusual ports
Remove the application from /Applications/EasyDoc Converter.app or wherever it was installed. Also check ~/Downloads/ for the original DMG or installer file and delete it.
Kill the Tor process: killall tor. Remove the Tor configuration and data: rm -rf ~/Library/Application\ Support/.tor/ and check for Tor binaries in /usr/local/bin/tor or within the application bundle. Also remove any torrc configuration files.
Stop the hidden web server: killall php or killall httpd (if not the system Apache). Remove web server files from ~/Library/Application Support/ and /tmp/ directories. Look for PHP scripts in hidden directories.
Delete Eleanor's LaunchAgents: check ~/Library/LaunchAgents/ for plist files created around the time you installed EasyDoc Converter. Also check /Library/LaunchAgents/ and /Library/LaunchDaemons/. Remove any login items in System Settings > General > Login Items.
Since attackers had full remote access to your Mac through the Tor backdoor, assume all stored credentials, files, and browsing data have been compromised. Change all passwords from a clean device, starting with email and financial accounts.
Run a full CoreLock scan to detect any remaining Eleanor components, verify no additional malware was installed through the backdoor, and ensure the Tor hidden service is completely removed.
Only download applications from the Mac App Store or the developer's official website
Be wary of utility apps with few reviews or no verifiable developer information
Never bypass Gatekeeper by right-clicking and selecting Open for applications from unknown developers
Use CoreLock to detect unauthorized Tor services, hidden web servers, and backdoor communication channels
Real-time Detection
CoreLock detects Eleanor through network monitoring for Tor hidden service activity and onion routing connections from unauthorized processes, process behavioral analysis identifying hidden PHP web servers running without user authorization, file system scanning for Tor configuration files and binaries outside of legitimate Tor Browser installations, and YARA rules matching known Eleanor backdoor component signatures.
RAT — OSX.Proton is a sophisticated macOS remote access trojan (RAT) that gives attack...
Ransomware — EvilQuest (also called ThiefQuest) is a macOS ransomware that combines file encr...
Trojan — RustBucket is a macOS backdoor attributed to BlueNoroff, a sub-group of North Ko...
Check which apps have camera access on your Mac and revoke access you didn't approve.
Check which apps have microphone access on your Mac and revoke access you didn't approve.
Check which apps have screen recording on your Mac and revoke access you didn't approve.
Eleanor is a macOS backdoor hidden inside a fake application called EasyDoc Converter. The application claims to convert document formats but does nothing useful. Instead, it silently installs a Tor hidden service and a PHP-based web server on your Mac, giving attackers anonymous remote access. Through this backdoor, attackers can run commands, steal files, use your webcam, and install additional malware — all while hiding their identity through the Tor network.
Check if you have an application called EasyDoc Converter installed on your Mac. Look in Activity Monitor for Tor processes (named 'tor') or unauthorized PHP/httpd web server processes. Check for unusual network connections to Tor entry nodes. If you downloaded a file converter from a third-party site that never actually converted any files, your Mac may be infected.
Eleanor uses Tor to create a hidden service on your Mac, which serves as an anonymous backdoor. The Tor network encrypts and routes the attacker's connection through multiple relays worldwide, making it virtually impossible to trace the attacker's real IP address or location. This also makes the C2 traffic harder to block since Tor traffic can resemble normal encrypted web browsing.
Yes. Eleanor's backdoor gives attackers full control over your Mac, including the ability to capture images and video from your webcam. On modern Macs, the green LED will illuminate when the camera is active, but the activation may be brief. If you suspect Eleanor infection, cover your webcam immediately, disconnect from the internet, and follow the removal steps. Change all passwords from a clean device.
Download CoreLock to detect and remove Eleanor and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows