Illegally distributed software [3] [4] [6], such as cracked applications [1] [3] [6], poses a significant risk to users as cybercriminals often use them to distribute malware. In particular [3], those who search for cracked applications are vulnerable to unknowingly downloading malware onto their devices. Recently, security researchers have discovered cracked applications that contain a Trojan-Proxy malware, enabling attackers to engage in criminal activities on behalf of the victims.


Unlike legitimate applications that are distributed as disk images [3], the infected versions of cracked applications come in the form of PKG installers [3] [4] [6]. These installers run scripts before and after installation [2] [3], with the malicious scripts being executed after the application is installed [3]. These scripts replace certain files and grant administrator permissions [3] [4] [6], giving the malware control over the victim’s system.

The malware includes two suspicious files [3], WindowServer and p.plist [1] [3], which are placed in the /Contents/Resources/ directory [3]. The p.plist file imitates a Google configuration file and is responsible for auto-starting the WindowServer file as a system process after the operating system is loaded [3].

The WindowServer file is a universal format binary file that has been found in several versions [3], with the earliest one uploaded to VirusTotal in April 2023 [3]. Anti-malware vendors have not flagged any of the versions as malicious.

Once the Trojan-Proxy malware is running, it creates log files and attempts to obtain a command-and-control (C&C) server IP address using DNS-over-HTTPS (DoH) to hide its activities [3]. It establishes a connection with the C&C server via WebSocket [3] [6], sending the application version and expecting commands in return [3].

During research [3], security experts have only received one command (0x38) from the C&C server. Analysis of the program code suggests that the 0x34 command should be accompanied by a message containing the IP address [3], protocol [1] [3], and message to send [3]. The Trojan-Proxy malware supports both TCP and UDP connections [3].

Multiple versions of the Trojan-Proxy malware have been discovered, with some notable differences [3]. The latest version lacks the ability to check for updates [3], while older versions use regular DNS requests instead of DoH to obtain the C&C server IP address [3]. All versions write logs to specific files [3] [4], allowing for the detection of the malware.

In addition to the macOS application [3], security researchers have also found specimens for Android and Windows that target the same C&C server.


The discovery of this new trojan malware highlights the risks associated with illegally distributed software. Users who download cracked applications are unknowingly exposing themselves to malware that can carry out criminal activities on their behalf. The Trojan-Proxy malware’s ability to hide its activities and establish connections with command-and-control servers makes it particularly dangerous.

To protect against such threats, it is crucial to avoid downloading software from questionable websites and instead rely on official sources. Additionally, using antivirus software can help prevent malware infections [5]. In the event that a device is infected, a complete system wipe and reinstallation may be necessary. It is important to stay vigilant and take proactive measures to safeguard against these types of cyber threats.