Proton is a remote access trojan (RAT) targeting macOS, first dispatched in late 2016. According to security researchers at Sixgill, it is being advertised on Russian underground hacking forums, YouTube videos, and a custom website. The author claims that the trojan can gain root access and bypass standard macOS security features and two-factor authentication on iCloud accounts. It is signed with genuine Apple code-signing certificates and researchers believe it uses a zero-day vulnerability in macOS for many of its features. The RAT can execute console commands, log keystrokes, take screenshots, access the user’s webcam, open SSH/VNC remote connections, and show popups requesting additional information, such as credit card numbers and login credentials. Proton’s author is renting and selling the RAT for a substantial price tag of between $1,200-$820,000. The author touts Proton as legitimate software, intended for system administrators, companies, and parents, but some of their advertised tools are illegal.


  • May 2017: The Proton trojan was installed on approximately 50 percent of user's devices that downloaded the Handbrake app for Mac between May 2-6, 2017. (MalwareBytes)

Technical Details

  • Sixgill provides a threat report on Proton macOS RAT, available here.