macOS trojan malware spread via compromised Eltima Software downloads

“Downloads of a popular Mac OSX [sic] [recte macOS] media player and an accompanying download manager were infected with trojan malware after the developer’s servers were hacked,” Danny Palmer reports for ZDNet.

“Elmedia Player by software developer Eltima boasts over one million users, some of whom have may have also unwittingly installed Proton, a Remote Access Trojan which specifically targets Macs for the purposes of spying and theft,” Palmer reports. “Attackers also managed to compromise a second Eltima product – Folx – with the same malware.”

“The Proton backdoor provides attackers with an almost full view of the compromised system, allowing the theft of browser information, keylogs, usernames and passwords, cryprocurrency wallets, macOS keychain data and more,” Palmer reports. “The compromise came to light on October 19, when cyber security researchers at ESET noticed the Elmedia Player was distributing Proton trojan malware. Users are warned if they downloaded the software from Eltima on that day before 3:15pm EDT, their system has may have been compromised by the malware.”

Read more in the full article here.

MacDailyNews Take: Yet another good reason to stick to Apple’s Mac App Store whenever possible!

ESET advises anyone who downloaded Elmedia Player or Folx software recently to verify if their system is compromised by testing the presence of any of the following file or directory:


If any of them exists, it means the trojanized Elmedia Player or Folx application was executed and that OSX/Proton is most likely running. If you have downloaded that software on October 19th before 3:15pm EDT and run it, you are likely compromised.

According to ESET, “As with any compromission with a administrator account, a full OS reinstall is the only sure way to get rid of the malware. Victims should also assume at least all the secrets outlined in the previous section are compromised and take appropriate measures to invalidate them.”

More info here.

[protected-iframe id=”c1fe6af37b4b5232f4955799987d8beb-17146794-18685410″ info=”//” ]


  1. When this crap happens, I want to know what server software the compromised website is using.

    In an email to ZDNet, an Eltima spokesperson said that the malware was distributed with downloads as a result of their servers being “hacked” after attackers “used a security breach in the tiny_mce JavaScript library on our server”

    So what’s TinyMCE code?

    TinyMCE is the world’s #1 web-based HTML WYSIWYG editor control.

    Used on more than 100 million websites and with upward of 70% market share*, TinyMCE is the first and only choice for your next project.

    TinyMCE enables you to convert HTML textarea fields or other HTML elements to editor instances.

    * Market share stats, Wappalyzer, 2017.

    I found nothing on the TinyMCE website relevant to this hack job. More information is required.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.