Proton is a remote access trojan (RAT) targeting macOS, first dispatched in late 2016. According to security researchers at Sixgill, it is being advertised on Russian underground hacking forums, YouTube videos, and a custom website. The author claims that the trojan can gain root access and bypass standard macOS security features and two-factor authentication on iCloud accounts. It is signed with genuine Apple code-signing certificates and researchers believe it uses a zero-day vulnerability in macOS for many of its features. The RAT can execute console commands, log keystrokes, take screenshots, access the user’s webcam, open SSH/VNC remote connections, and show popups requesting additional information, such as credit card numbers and login credentials. Proton’s author is renting and selling the RAT for a substantial price tag of between $1,200-$820,000. The author touts Proton as legitimate software, intended for system administrators, companies, and parents, but some of their advertised tools are illegal.


  • May 2017: The Proton trojan was installed on approximately 50 percent of user's devices that downloaded the Handbrake app for Mac between May 2-6, 2017. (MalwareBytes)
  • October 2017: The website Eltima was compromised by an unknown actor and used a trojanized version of the company's macOS multimedia player "Elmedia" to spread the Proton RAT. (ESET)
  • December 2017: A new version has been identified infecting users via a malicious program "Symantec Malware Detector" promoted on the fake Symantec blog site symantecblog[.]com. (Malwarebytes)

Technical Details

  • Sixgill provides a threat report on Proton macOS RAT, available here.