Handbrake Developers Issue Mac Security Warning After Mirror Server Was Compromised


If you have recently downloaded Handbrake, a popular video conversion app for Mac, there is a good chance your system is now infected with a nasty Remote Access Trojan (RAT).

On Saturday, the HandBrake team posted a security alert after learning one of their mirror download servers was hacked. The attacker was successfully able to replace the Mac version of the app with a malicious version.

The HandBrake team said an attacker compromised the download mirror server at and replaced the HandBrake-1.0.7.dmg installer file with a version infected with a new variant of the Proton RAT. The team warned that users who downloaded HandBrake for Mac between 10:30 a.m. EDT on May 2nd and 7:00 a.m. EDT on May 6th have a “50/50 chance” of their Mac being infected.

The security warning stated, “If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application. You are infected.” In order to remove this malware from an infected computer, open Terminal and run the following commands (each command has a comment above it describing what it does):

# Unload the malicious plist file 
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

# Remove the RAT activity agent
rm -rf ~/Library/RenderFiles/

# Remove the Proton RAT malware zip
rm -f ~/Library/VideoFrameworks/

# Remove the Handbreak app from your system.
rm -rf /Applications/

As an extra security recommendation, the team also recommends changing all passwords that may reside in their macOS KeyChain or in any browser password stores.

[via MacRumors]



  • dudemaster

    I recall Handbrake having a similar issue a few months ago. I just deleted the app. I am glad that I had not done the update. From now on I will stick to the mac app store for programs.

  • Selena

    Yes, I also think the paid software is safer than the freeware. They have money back guarantee and tech support.