handbrake
HandBrake Mac download mirror distributed Proton RAT
An official HandBrake download mirror, download.handbrake.fr, was compromised while hosting the macOS release. The HandBrake-1.0.7.dmg image was replaced with a malicious build carrying the Proton RAT, so Mac users following the expected mirror path received remote-access malware instead of video tooling.
- Date
- 2017-05-02 to 2017-05-06
- Category
- Open Source
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Data Exfiltration
- Cause
- Compromised Infrastructure
What Was Affected
Package
handbrake
LanguageBinary
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
download.handbrake.fr
Compromised Versions
- 1.0.7
Incident Context
- Motive
- Credential Theft
- Attribution
- Cybercriminal Gang
- Transitive
- No
- Observed Duration
- 4 days
Evidence
Compromised Artifacts
- download.handbrake.fr/1.0.7/HandBrake-1.0.7.dmg
- mirror.download.handbrake.fr/1.0.7/HandBrake-1.0.7.dmg
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:0935a43ca90c6c419a49e4f8f1d75e68cd70cb90b79306ce0cc7af2716aaa377sha1:32176407013738cb03959d0945993c13373f9590sha256:013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793sha1:230a3e5404b633882b799d84633206b98e80790d
External References
Source Data
Source record: oss/handbrake/meta.yaml