OSX/Proton trojan is back! Here’s what Mac users need to know

“Last May, a download server of popular video encoding software, called Handbrake, was compromised by malware,” Jay Vrijenhoek writes for Intego. “Users downloading Handbrake at the time got not only the Handbrake application but also a nasty malware, called OSX/Proton.”

“Security researchers on welivesecurity published the discovery of yet another compromised download server distributing infected software with OSX/Proton malware. This time, Eltima, the makers of the Elmedia Player software were targeted. The trojan was found, reported and removed from the servers all on the same day, but it is currently unknown how long it was available or how many users may be affected,” Vrijenhoek writes. “Intego VirusBarrier identifies and eradicates the malware as OSX/Proton.C.”

“Only those who downloaded Elmedia Player from their server (https://mac.eltima.com/elmedia-player-download.html) received the malicious application. It was not distributed on any other websites, as far as we know, and the App Store version was not affected,” Vrijenhoek writes. “If you have downloaded and installed Elmedia Player on or before October 19, before 3:15PM EDT, welivesecurity noted that you are likely compromised.”

How to tell if your Mac is infected (and removal instructions) here.

MacDailyNews Note: As Vrijenhoek notes, “If a website doesn’t list checksums for their files, contact the developer and request those checksums before downloading a file. Without it, there really is no way to know if you’ve downloaded the file you came for or if the file was modified to be malicious.”

macOS trojan malware spread via compromised Eltima Software downloads – October 20, 2017
Handbrake warns Mac users after mirror download server hack – May 7, 2017

[protected-iframe id=”071a3901810f63c47cf18abc34823545-17146794-18685410″ info=”//z-na.amazon-adsystem.com/widgets/onejs?MarketPlace=US” ]


  1. Fold by Eltima was also infected. Possibly other Eltima software was also infected. If you downloaded ANY Eltima software in recent weeks, do the check to see if you have the Proton.C infection on your Macs.

    Malwarebytes free anti-malware claims to be able to remove Proton.C. But in the worst case you may have to reinstall your entire system. 🙁

      1. Only really stupid trolls don’t know the difference between a virus (which can infect a computer without a users help) and a Trojan (which needs to trick the user into installing it).

        Zing. You’ve been BURNED …

      2. In the balance between a few versus a few million, I will take the few. You will note that this malware was obtained from a third party vendor – not Apple. That is why I set my mother-in-law’s Mac to prevent installation of third party software. She does not know enough to be careful.

        Nice try, anonymous troll. But occasional instances of minor Mac malware incidents cannot be equated in any way, shape, or form to the Windows malware hell-on-Earth situation. I had a Windows PC for a couple of years and, even with up-to-date malware protection, it was highly insecure.

  2. MDN – THINK before you write a comment! If someone compromised the server and is able to change the download, then they can certainly also change the checksum displayed on the webpage. Displaying the checksum isn’t increasing security at all, it just gives a false sense of security.

    1. But the checksum in the software itself – that will change, won’t it. If you have the original checksum from the developer (not some number posted on the website, which can be modified as you note), shouldn’t it be different from the checksum of the modified malware version?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.