Transmission installer delivered Keydnap

The August 2016 Transmission compromise repeated the same distribution pattern with a different payload. A recompiled Transmission 2.92 application was served from the official site and carried OSX/Keydnap instead of ransomware.

The malicious disk image was named Transmission2.92.dmg, while the legitimate package used Transmission-2.92.dmg. Inside the app bundle, the added License.rtf file acted as the dropper. ESET reported that the bundle was signed on August 28 with an Apple-issued certificate that was not the normal Transmission developer certificate.

Keydnap installed persistence under com.apple.iCloud.sync.daemon, used a local Tor client to reach an onion command server, and targeted the macOS keychain. Its purpose was quiet control and credential theft, not visible encryption.

ESET notified the Transmission team, which removed the file within minutes and moved users toward clean downloads. The second incident showed that the March response fixed the immediate artifact, not necessarily the release channel risk.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Infrastructure

Transitive

No

Actor

Cybercriminal Gang

• OSX/Keydnap spreads via signed Transmission applicationwelivesecurity.com
• Transmission hijacked again to spread malwaremalwarebytes.com
• BitTorrent app Transmission once again source of macOS malwareappleinsider.com