Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0279: Proton

Proton is a macOS backdoor focusing on data theft and credential access [1].

EnterpriseS0279MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Proton is a macOS backdoor described by ATT&CK as focused on data theft and credential access. Its mapped behaviors make it material beyond “Mac malware”: it can relate to credential harvesting from Keychain, browsers, password managers, keylogging and fake GUI prompts, persistence through Launch Agents, shell execution, screen capture, data archiving, VNC remote control, file deletion, and log/security-tool impairment. For leaders, the decision point is whether macOS endpoints are covered with the same identity, logging, and response rigor as Windows systems.

Executive priority

Prioritize Proton as a test case for macOS security readiness: endpoint visibility, credential-store protection, remote-access governance, and incident response evidence preservation. The business risk is concentrated around theft of user credentials and sensitive data from macOS workstations, which can affect identity security, executive/user privacy, audit evidence, and continuity of investigations if logs or tools are impaired.

Technical view

SOC and IR teams should validate macOS coverage for the ATT&CK relationships supplied: Launch Agent persistence, Unix shell execution, sudo/sudo caching activity, Keychain/browser/password-manager access, keylogging or GUI credential prompts, screen capture, archive creation, VNC/RFB remote access, file deletion, and clearing Linux or Mac system logs. Because ATT&CK provides no official detection text for Proton, detection engineering should be behavior-led rather than signature-led and should map detections to the related techniques.

Likely telemetry

  • macOS endpoint process execution, including shell activity and parent/child process context
  • Launch Agent plist creation or modification in system and user LaunchAgents paths
  • Authentication and privilege elevation evidence, including sudo usage where collected
  • File system telemetry for credential stores, browser credential files, password-manager vault files, archives, and unusual deletion activity
  • macOS system logs under /var/log/ and evidence of log clearing or tampering

Detection direction

  • Build behavior-based detections around the mapped techniques rather than relying on a Proton-specific detection, since official detection is not provided.
  • Tune Launch Agent detections to distinguish expected enterprise management agents from new, user-writable, or unusual plist-based persistence.
  • Correlate credential-access signals: Keychain, browser credential files, password-manager access, keylogging-like behavior, and GUI prompts are higher confidence when paired with suspicious shell execution or persistence.
  • Review VNC detections against approved remote-support workflows to reduce false positives while still alerting on unauthorized or unexpected remote-control sessions.
  • Monitor for evidence destruction: file deletion, archive staging, and clearing of Linux or Mac system logs can reduce IR visibility and should trigger preservation actions.

Mitigation priorities

  • Establish baseline macOS endpoint monitoring and response coverage before focusing on malware-family-specific rules.
  • Harden identity and credential storage exposure: restrict unnecessary password storage, protect Keychain access, and govern password-manager use with enterprise policy.
  • Control remote access by inventorying and limiting VNC use to approved systems and accounts.
  • Restrict persistence and privilege escalation paths by monitoring LaunchAgents and sudo configuration or usage.
  • Protect logging and security tooling from tampering, and ensure logs are centrally retained where feasible for incident reconstruction.
Analyst notes and limits

The ATT&CK object is a malware entry for Proton, a macOS backdoor, with no tactics listed directly on the object and no official detection guidance. Practical defensive value comes from the supplied technique relationships, especially credential access, collection, persistence, privilege escalation, lateral movement via VNC, and defense impairment behaviors.

This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, attribution, prevalence, specific indicators, or guaranteed detection. Local environment baselines are required to determine which macOS behaviors are suspicious versus normal administration.

Official MITRE ATT&CK definition

Proton

Proton is a macOS backdoor focusing on data theft and credential access [1].

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

15 rows
Domain ID Name Relationship / procedure
Enterprise T1056.002 GUI Input Capture Sub-technique

Proton prompts users for their credentials.[1]
Enterprise T1543.001 Launch Agent Sub-technique

Proton persists via Launch Agent.[1]
Enterprise T1070.004 File Deletion Sub-technique

Proton removes all files in the /tmp directory.[1]
Enterprise T1021.005 VNC Sub-technique

Proton uses VNC to connect into systems.[1]
Enterprise T1548.003 Sudo and Sudo Caching Sub-technique

Proton modifies the tty_tickets line in the sudoers file.[1]
Enterprise T1555.001 Keychain Sub-technique

Proton gathers credentials in files for keychains.[1]
Enterprise T1685 Disable or Modify Tools

Proton kills security tools like Wireshark that are running.[1]
Enterprise T1685.006 Clear Linux or Mac System Logs Sub-technique

Proton removes logs from /var/logs and /Library/logs.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Proton uses an encrypted file to store commands and configuration values.[1]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

Proton gathers credentials for Google Chrome.[1]
Enterprise T1056.001 Keylogging Sub-technique

Proton uses a keylogger to capture keystrokes.[1]
Enterprise T1555.005 Password Managers Sub-technique

Proton gathers credentials in files for 1password.[1]
Enterprise T1113 Screen Capture

Proton captures the content of the desktop with the screencapture binary.[1]
Enterprise T1560 Archive Collected Data

Proton zips up files before exfiltrating them.[1]
Enterprise T1059.004 Unix Shell Sub-technique

Proton uses macOS' .command file type to script actions.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1056.002: GUI Input Capture Enterprise uses · Technique T1543.001: Launch Agent Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1021.005: VNC Enterprise uses · Technique T1548.003: Sudo and Sudo Caching Enterprise uses · Technique T1555.001: Keychain Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1685.006: Clear Linux or Mac System Logs Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1555.005: Password Managers Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1560: Archive Collected Data Enterprise uses · Technique T1059.004: Unix Shell Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
90bfb789b0988287...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 90bfb789b098…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    objsee mac malware 2017

    Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.

    Open source URL
  2. [2]
    Proton

    (Citation: objsee mac malware 2017).

  3. [3]
    mitre-attack S0279
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use