OSX.Proton is a rat targeting macOS, first discovered in 2017. OSX.Proton is a sophisticated macOS remote access trojan (RAT) that gives attackers full control over an infected Mac. It was sold on underground forums for up to $50,000 in Bitcoin and was notably distributed through compromised legitimate software — the Handbrake video converter and Elmedia Player websites were both hacked to serve Proton-infected installers. Once installed, Proton can capture keystrokes, take screenshots, access the webcam, steal browser credentials, extract Keychain data, and exfiltrate files. It uses a fake macOS authentication dialog to obtain the user's system password. CoreLock detects this threat using CoreLock detects OSX.Proton through behavioral analysis of keylogging activity and unauthorized Keychain access attempts, monitoring for fake system authentication dialogs, network analysis identifying C2 communication patterns, YARA rules matching known Proton binary signatures, and webcam/microphone access monitoring for unauthorized activation by unsigned processes.
Also known as: Proton RAT, Proton.B, Calisto
OSX.Proton is a sophisticated macOS remote access trojan (RAT) that gives attackers full control over an infected Mac. It was sold on underground forums for up to $50,000 in Bitcoin and was notably distributed through compromised legitimate software — the Handbrake video converter and Elmedia Player websites were both hacked to serve Proton-infected installers. Once installed, Proton can capture keystrokes, take screenshots, access the webcam, steal browser credentials, extract Keychain data, and exfiltrate files. It uses a fake macOS authentication dialog to obtain the user's system password.
Compromised legitimate software downloads — Handbrake and Elmedia Player official sites were hacked to serve trojanized installers
Phishing emails with malicious DMG attachments disguised as business documents or invoices
Fake websites impersonating popular Mac applications offering free or cracked versions
Underground forums where the RAT builder was sold to other threat actors for targeted attacks
A fake macOS authentication dialog appearing when opening a newly downloaded application
Unexpected webcam or microphone activation indicated by the green camera LED turning on
Unknown processes such as 'updateragent' or disguised system names running in Activity Monitor
Files appearing in ~/Library/LaunchAgents/ with names mimicking Apple services like com.apple.xpc.helper.plist
Disable Wi-Fi and unplug Ethernet to cut the attacker's remote access connection. Proton maintains a persistent connection to its command-and-control server.
Open Activity Monitor and look for suspicious processes. Known Proton process names include 'updateragent' and names mimicking Apple services. Select the process and click Force Quit.
Delete Proton LaunchAgent files: rm ~/Library/LaunchAgents/com.apple.xpc.helper.plist and check for similar fake Apple-named plists. Also check /Library/LaunchDaemons/ for Proton entries. Remove: rm -rf ~/Library/RealVNC/ if present.
Remove the application that delivered Proton from /Applications/ and ~/Downloads/. If it was a legitimate app like Handbrake, re-download from the verified official source and check the SHA-256 checksum.
Proton has a keylogger and Keychain access. From a different clean device, change all passwords starting with Apple ID, email, banking, and any accounts with saved credentials. Enable two-factor authentication everywhere possible.
Run a full CoreLock scan to detect any remaining Proton components, hidden persistence files, or residual backdoor access points that manual removal may have missed.
Always verify download checksums (SHA-256) when downloading software, even from official websites
Be suspicious of any application that asks for your macOS password immediately after first launch
Keep macOS updated — Apple added Proton signatures to XProtect after the Handbrake compromise
Use CoreLock to monitor for RAT behaviors including unauthorized webcam access, keylogging, and suspicious outbound connections
Real-time Detection
CoreLock detects OSX.Proton through behavioral analysis of keylogging activity and unauthorized Keychain access attempts, monitoring for fake system authentication dialogs, network analysis identifying C2 communication patterns, YARA rules matching known Proton binary signatures, and webcam/microphone access monitoring for unauthorized activation by unsigned processes.
Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...
Trojan — RustBucket is a macOS backdoor attributed to BlueNoroff, a sub-group of North Ko...
Backdoor — Eleanor is a macOS backdoor that was distributed through a fake application call...
Check which apps have camera access on your Mac and revoke access you didn't approve.
Check which apps have microphone access on your Mac and revoke access you didn't approve.
Check which apps have screen recording on your Mac and revoke access you didn't approve.
Check Activity Monitor for suspicious processes with names mimicking Apple services. Look in ~/Library/LaunchAgents/ for plist files you don't recognize, especially those with 'com.apple' prefixes not actually from Apple. If your webcam LED activates unexpectedly or you notice your Mac performing slowly with unusual network activity, these are warning signs. Proton often enters through trojanized versions of legitimate software.
The Handbrake website was compromised in May 2017 for several days. If you downloaded Handbrake during that period, your installer may have contained Proton. The infected version had a different SHA-256 checksum than the legitimate file. If concerned, delete Handbrake, check for LaunchAgent persistence files, change all passwords, and run a CoreLock scan.
On modern Macs, the webcam LED is hardware-wired to activate whenever the camera is in use, so Proton cannot access your camera without the green light illuminating. However, the activation may be brief or occur when you are away from your Mac. CoreLock monitors for unauthorized camera and microphone access to alert you to these events.
While the original Proton RAT infrastructure was largely dismantled and Apple added detection signatures to XProtect, variants and derivative malware continue to appear. The source code was leaked, allowing other threat actors to create modified versions. The techniques Proton pioneered — fake auth dialogs, Keychain theft, and supply-chain compromise — are now used by newer threats like Atomic Stealer.
Download CoreLock to detect and remove OSX.Proton and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows