MuseHub/Muse.Service reported by Malwarebytes - is it legit or a false positive?

• Dec 10, 2022 - 07:40

I accidentally downloaded some malware this week, and installed Malwarebytes to detect and remove it.

Malwarebytes also detected and reported a programme called Muse.Service.exe as contacting a compromised web site. I've pasted the details below. As a temporary measure, I've uninstalled Musehub and Musescore.

But I'm not sure if this was a genuine infection, or whether MuseHub legitimately tries to contact this IP and Malwarebytes is reporting it as a false positive. Any thoughts?

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\Muse.MuseHub_0.9.10.559_x64__rb9pth70m6nz6\Muse.Service.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Compromised
IP Address:
Port: 6881
Type: Outbound
File: C:\Program Files\WindowsApps\Muse.MuseHub_0.9.10.559_x64__rb9pth70m6nz6\Muse.Service.exe


In reply to by Marc Sabatella

Running Windows 10.

I wanted to simply upgrade to Musescore 4. It's late in my day , and the standalone musescore download was not obvious. So I wound up with the Musehub package.

Immediately after installing Musescore via Musehub, I realized my mistake and uninstalled Musehub.

Will that remove the background software running in the background that other ( more technical ) folk have mentioned here?

I want musehub and any services from it out of my system .

If the uninstall was not adequate, can you advise what I need to do to get there?


Chiming in on this... ever since I downloaded Muse Hub, I seem to be getting notifications from my ISP that malicious IPs are trying to access my device.

Additionally when exiting Muse Hub in the tray (so that it does not appear in the tray anymore), it's still running services in the background that I have to kill manually via Task Manager.

What's going on here?

In reply to by jeetee

I get that it's used to run auto updates, but I feel like it's expected that when you "exit" a program, it should actually exit it. I feel like this is how most programs work in general, even those with auto updates.

Regarding the unknown IPs and "community acceleration", that's deeply concerning. I think that feature should be disabled by default if that's the case.

Especially if a non-technical person is trying out Musescore and downloaded Muse Hub, I don't think it's a good look for Muse when their ISP (Xfinity in my case, as it gave me notifications via their app) to be telling them that these outside IPs are trying to access my computer.

Just my two cents - regardless I have uninstalled Muse Hub since the time I have made my comment.

In reply to by jeetee

But the main concern is not the torrent stuff.
The biggest security problem here is that this service runs with a privileged account (admin, root).
I am surprised that nobody sees this as a problem.
Basically, the Muse group can install anything they want on your computers, without you knowing about it.

In reply to by graffesmusic

I definitely see it as a problem. MuseScore is slowly becoming proprietary software, through the introduction of third-party proprietary tools that "solve" problems introduced by regressions in MuseScore. It may be overly cynical of me to point this out, but it really looks like a way to circumvent GNU GPL.

The whole concept of software checking for updates is absurd to any Linux user. We have package managers that do that for us. But this means less control for the software proprietors. Having such "update" software closed source and running with root privileges is a huge red flag. And you're incentivised into using this software (which would in any other circumstance rightly be described as malware) by getting a shiny present like MuseSounds: "oh no, you can't download this soundfont unless you give full control of your system to our proprietary updater". In what alternate reality does that make any sense? If this is not Defective-By-Design, what is?

I am very worried about this and the future of MuseScore.

In reply to by jeetee

If you allow a third party you know nothing about (as i understand it: a 'mailbox' company based in Cyprus, but located in Kaliningrad, Russia) to have root access to your system: this is bad security.
Especially because there is really no need to have this running as root.

In reply to by graffesmusic

@graffesmusic: Can you elaborate on that? I mean the privileged account issue?

On my Mac I see the following information on the binary ("ls -l"):

-rwxr-xr-x@ 1 my_userid admin 9158928 13 dec 23:55 /Applications/Muse Hub

There is one extended attribute, indicated by the "@":

No root owner. Can it run as root at all? Or with root privileges?

In reply to by Jojo-Schmitz

But not in normal operation, right? When I run ps aux on it I see:

my_userid 752 0,0 0,0 34453592 6548 ?? Ss 3:46pm 0:00.02 /Applications/Muse
my_userid 743 0,0 0,2 35163600 81796 ?? S 3:46pm 0:00.61 /Applications/Muse Hub launchedAtLogin

As far as I can tell, this is running with my user privileges. Which are not root privileges.

Am I missing something here?

In reply to by user2442

I don't know anything about Macs.
But it surely looks that the service on your system is running as your own user.
Somebody should confirm this behaviour.

But if this is correct, then i can only conclude that Linux users are really screwed.

On Linux, if privileged are dropped by adding a no shell system user/group, the service refuses to run - by design.

In reply to by sills

I'm pretty shocked to discover this running, definitely as root, on my Ubuntu 20.04 system. Huge security hole and I had no idea it was there. Typing the following on a terminal stops it:

david@dm:~$ sudo systemctl stop muse-hub.service
david@dm:~$ sudo systemctl mask muse-hub.service
Created symlink /etc/systemd/system/muse-hub.service → /dev/null.
david@dm:~$ sudo systemctl start muse-hub.service
Failed to start muse-hub.service: Unit muse-hub.service is masked.

Note you can unmask the service to bring it back to life. Masking prevents it from restarting at boot time.
Perhaps the developers can consider security a bit closer. Musescore is great, but this makes it dangerous.

In reply to by davidjmcq

As mentioned numerous times, issues with Muse Hub are discussed on their support site at Muse Hub is an installer and it installs files into folders like /usr/lib so obviously needs to have appropriate privileges - it should't be a security problem at all. But out of an abundance of caution, alternative solutions are being investigated.

In reply to by Marc Sabatella

This is just a lie. The right way to do this is to at install time make a single folder in /usr/lib that doesn't require root privileges to add files and folders in and then run the background service without root permissions which will mean that it can only mess around with it's own folder rather than being able to mess with arbitrary system files. Making a torrent client run as root in the background is a massive security hole you're opening in your system and the fact that no one at MuseHub has acknowledged that makes me incredibly skeptical that the team is competent.

In reply to by oscardssmith

Absolutely. Whoever claims that MuseHub is not dangerous must be incredibly naive.

There is no need to assume at this moment that MuseHub is malware - there is no indication that it is, nor that it isn't. We simply don't know. Nor do we know the intentions of the team. They may very well act in good faith.

But that is not the point. MuseHub is just as dangerous as if it were malware. And the risk of its bittorrent function being hacked, a real risk that others have already pointed out, is not even the greatest danger.

Let me just sketch one scenario, entirely possible. Assume someone manages to replace the mother copy of MuseHub on the MuseHub server with a version that does contain malware. Let's say it's a ransomware, that encrypts all files on your computer and asks you to donate, say, $300 to get the decryption key.

Thanks to unchecked installation that malware would be silently installed on all computers receiving a copy. Thanks to bittorrent, distribution of that version would be lightning fast. Millions of computers would be infected overnight. How many users would grudgingly pay to have their files restored? One in ten? One in hundred? Think of the numbers involved.

Think that is unlikely? Think again. Ransomware is nothing new or unusual. MuseHub is a dream opportunity for whoever is in that business.

Note that it is not necessary to suspect the MuseHub company. A would-be attacker could hack the MuseHub server. Or they could bribe an employee. A determined attacker with enough resources can get in almost everywhere. And money would not be a problem with this kind of payoff.

I advise everybody who has MuseHub running to uninstall it immediately, and then to verify that it is indeed gone. And hope and pray it has left no backdoors. If you want to be really safe, reinstall your operation system.

In reply to by tedbooth

This doomsday scenario is entirely predicated on the notion that some criminal would be able to replace the download package on the server. And you're right, of course it's theoretically possible. just as they could replace the download package for any other program in the world. And yet this is virtually never how malware is distributed, because there are so many better ways. There isn't anything particularly unusual about Muse Hub as installers go, except the torrent bit. So, If you're concerned that someone might pull this off and use the torrent technology to spread the malware, no need to uninstall Muse Hub - simply disable the automatic updates and/or community acceleration. if you're feeling extra paranoid, you could shut down the service entirely. But thinking that merely having it installed is somehow inviting catastrophe - now that's naive.

In reply to by Marc Sabatella

There is something very unusual about MuseHub. It runs with root privileges as a background task. That is precisely the thing that makes it dangerous. Pretty much every other installer will ask for root privileges once and then use those privileges to set up a folder for a non root process to manage. MuseHub by contrast holds on to its ability to do arbitrarily bad things to your system for ever.

In reply to by Marc Sabatella

You (Marc Sabatella) are misinformed about third party installers. Those do not have root permissions, instead they normally delegate the install task to a system installer. Which would be the proper way for MuseHub too.

Those installers do have root permission and are usually part of the operating system, and with good reason. They are developed by teams with intimate knowledge of their operating system, and of the latest attack routes on its safety. They are equipped with all kinds of safeguards to minimize the risk of installing malware. With MuseHub there is no such safeguard.

And even those very safe system installers normally ask you for your password, which MuseHub conveniently omits.

So MuseHub as installer is a completely different beast that you are totally misrepresenting.

In reply to by user2442

That's a completely irrelevant distinction. Whether it asks for root access or not, how many times does the average person say "no"? If you download software, it asks for permission to install, and you normally say yes - that's the whole reason you downloaded the program.

Someone intent on installing malware by this method could do it just as easily using any other installer. It's naive to think otherwise.

In reply to by Marc Sabatella

If this is so normal, why does no one else do things this way? (seriously. Name one other program that uses this install process) I understand you don't think there's anything wrong here, and to me that's probably the scariest part. Musescore is asking for root permissions on my computer to install software in a non-standard way, and the developers don't see this a potential security issue, even when the avenue of attack has been repeatedly pointed out.

In reply to by oscardssmith

Many major vendors delivering large amounts of content that may need frequent updates have something similar in place. The exact mechanics may differ, but see for instance the Avid installer.

In any case, I'm not on the team developing Muse Hub, and if I were, I might have chosen to do things differently. And I'd be perfectly happy to see them make some changes to address these concerns. I'm merely pointing out that it's irresponsible to be scaring away users by drumming up fear of an incredibly unlikely event - one that, if it were to happen, would be much more likely to occur through entirely different means that don't involve Muse Hub at all. It's just harmful to the MuseScore community to be spreading such misinformation, and my goal here it to help users, not harm them.

In reply to by Marc Sabatella

What is irresponsible and unacceptable is to have a closed source program, running as root, when it doesn't need to run as root. On Linux, I have a package manager which installs stuff. I don't need some proprietary program installing stuff on my computer. If you wanted to give me these sounds for free, you would have given them for free, not require that I give you control over my computer.

The safest assumption is that it is malware, and in my opinion, it is completely foolish to trust it. We don't even know who wrote it, some Russian company... Extremely shady.

In reply to by sills

That is a well known pattern with them. Some time ago a thread was started just to discuss the issue of security (…).

It was well argued, and politely so. After a few days the thread silently disappeared. Only after this was mentioned on this forum, it was reinstated without comment (see on this forum:

A certain David from MuseHub then said soothing words. He agreed to an open discussion on the issue. In the beginning it went fine. But once a well argued case was made to drop the root access, citing warnings from both Apple and Microsoft, and again very respectfully, communication stopped and nothing was heard from David again.

Read through that thread. It is very instructive.

In reply to by kresimir

The vast majority of programs ever written in the history of computing are closed source. If we took the position that closed source = no one should ever trust it, then we might as well just go back to abacuses.

Calling something malware with zero evidence whatsoever is libel, plain and simple. It's a false statement made maliciously for the purpose of maligning a company and harming its community of users.

And FWIW, while there are some people of Russian descent who work for the company that produces Muse Hub, the company is not Russian, it is not based in Russia, and people employed by the company are from all over the world. But more importantly, are you seriously implying that being of a particular nationality makes you untrustworthy? There's a winning argument with history on your side...

In reply to by Marc Sabatella

people are raising flags because this closed software has root permissions that can not be disabled on linux as well as windows. it's problematic because again, no one wants this running on their computer and no part of muse hub needs that much permission.

In reply to by Marc Sabatella

The vast majority of programs written in the history of computing work without needing root access. Closed source + root privilege = untrustworthy. It's as simple as that. This may be how things are done on Windows, but no Linux user in their right mind would accept this. And no, I'm not implying that a particular nationality makes you untrustworthy. What makes you untrustworthy is complete lack of transparency, combined with unreasonable demands for root access (for things which could have been done in a different way, without the need for root) for a service that constantly runs, resists being shut down, and is closed source.

It is also a fact that a lot of malware comes from Russia, just like a lot of scam operations are based in India. This has nothing to do with one's nationality, but with the fact that legal systems in these countries do not punish these activities as harshly as in most other countries.

In reply to by kresimir

Also, if MuseScore wasn't open source, I wouldn't be using it. It makes complete sense to distrust any closed source software, but especially if it requires root privileges, and doubly so if it fights you when you try to close it. And on top of it all, it's constantly connected not only to some server, but to a bunch of other computers. It's a security nightmare. You may as well write your passwords on post-it notes on your monitor for everyone to see, if you are going to trust this software. It's absurd and ridiculous beyond words, and anyone writing such software must either be hopelessly clueless about security or have malicious intentions. The same goes for people defending such practice.

As far as I'm concerned, I'm 99% sure it's up to something no good, and I'm certainly not going to risk running it on my system. It's not libel, it's common sense caution. Trust must be earned.

In reply to by kresimir

So just to be clear, you are also dismissing the 90% of the world who use Windows and macOS as being absurd and ridiculous. And accusing the people who have dedicated their lives to developing and supporting this software of having malicious intent is beyond belief.

Between that and the blatant racism, a wise woman once said, when someone shows you who they are, believe them the first time. It's great that people can see for themselves now just what kind of people are spewing this vile garbage, so thanks for that. My work is done here.

In reply to by Marc Sabatella

I'm sorry, there are just too many red flags to ignore.

Reasons why I suspect MuseHub might be malware:
1. Malware scanners on Windows report it as malware
2. Closed source and contrary to the spirit of MuseScore
3. No Linux distro packs it in its repo, one needs to manually download it with a browser to install it (something that should never be done on Linux)
4. Runs as service with root access. It doesn't need that, there are ways around it, but it explicitly refuses to run if not given root access
5. Constantly sends and receives data from the network, connects to multiple IP addresses
6. Resists being terminated, it goes out of its way to be difficult to uninstall or disable
7. Spikes CPU use on Windows when the screen is turned off
8. Produced by some shady company in Kaliningrad with a PO Box for address in Cyprus.

Reasons why it might not be:
1. A stranger on the Internet tells me it's perfectly safe and that I should trust it with full, unrestricted access to my computer, and if I don't, I'm a terrible person, a "blatant racist spewing vile garbage"... And why? So that it can give me a soundfont! Of course, you can't have nice sounds in a notation software if you don't completely disregard all established security practices!

Honestly, if I didn't see it with my own eyes, I couldn't believe that you've written those things about me, you don't even know me. It's utterly irrational, immature, hurtful, and yes, downright malicious.

Yeah, I'm probably done, too.

In reply to by Marc Sabatella

You (Marc Sabatella) say: "the company is not Russian, it is not based in Russia."

Well, read the following:

"According to LinkedIn and their own press release, Muse Group is headquartered in Limassol, Cyprus. LinkedIn also shows the following additional office locations: Kaliningrad, Russia; St. Petersburg, Russia; and London, Great Britain."


Headquarters on Cyprus says nothing. Cyprus is famous for its low taxes and other benefits for foreign companies seeking access to the EU market. Many companies have a token presence there for this purpose, effectively operating just a P.O. Box there.


That leaves three offices, two of them in Russia. This goes much further than "some people of Russian descent who work for the company", as you say. It is a safe bet that Russian influence with MuseHub is very strong, if not dominant.

In reply to by Marc Sabatella

I don't have problems with closed source software and or even community bittorrenting. But, I do get antsy when Norton starts alerting me that I have bitcoin mining occurring from the MuseHub. Is this a false positive of some sort? Probably... but, it's not as simple as "simply disable the automatic updates and/or community acceleration" ... because I did that last week when I got these alerts the first time. Yet, this morning, I'm still getting this alert:

"Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Destination Address,Source Address,Traffic Description
9 May 2023 2:23:42 AM,High,An intrusion attempt by gateway.docker.internal was blocked.,Blocked,No Action Required,System Infected: Miner.Bitcoinminer Activity 6,No Action Required,No Action Required,"gateway.docker.internal (, 6881)",", 60016",gateway.docker.internal (,"TCP, Port 6881"
Network traffic from gateway.docker.internal matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME2\PROGRAM FILES\WINDOWSAPPS\MUSE.MUSEHUB_1.0.1.692_X64__RB9PTH70M6NZ6\MUSE.SERVICE.EXE."

The server it is trying to connect to is:

Looks like a datacenter IP from the NL, but that might be spoofed since so many VPNs operate out of the NL.
But, more importantly, I've taken the suggested steps and it has not stopped the traffic.

In reply to by Marc Sabatella

Ever heard of SolarWinds? You're talking about naivety, but you don't have the competence to realize that one of the most harmful ransomware campaigns in history was carried out IN THE EXACT MANNER YOU DESCRIBED AS BEING UNREALISTIC. Do you have any idea of cybersecurity concepts and news? Reading these comments from you casts SERIOUS doubts about the knowledge level of these engineers. Do you have procedures to ensure that a supply-chain attack would be detected? I'm assuming not, considering you just called a supply chain attack "virtually never how malware is distributed." Your company is not a small one-man shop. Your company IS a target of large threat actors, as you have tons of users worldwide. Infecting your supply chain would result in MILLIONS of infections. PLEASE read up on cybersecurity trends, because your lack of knowledge is, frankly, laughable.

I am reading this because malwarebytes just marked it as a trojan. I am not as techy as some of you so could someone tell me in plain English what to do lol? Thanks in advance

In reply to by tuttijones

There is always the possibility of a false alarm, but In your place I would take no risks.

The safe option would be to reinstall your operating system.

Since you don't know what this trojan might do, best would be to shut down the computer as soon as possible, and then reinstall from a fresh copy of your OS.

You will probably be given the option to keep your user files, and that will probably be OK. But if you have a backup of your user files, the safest option would be to do a complete fresh install and then restore your user files from that backup. Then you can reinstall your apps/programs one by one (not MuseHub, obviously).

After that, it might be a good idea to change your passwords. In any case those that you have used while the trojan was on your system - it might have listened to them and copied them to a third party. (If you have a plain text file on your computer with all your passwords, you should change all of them.)

If you need help with all that, please let us know if you are on Windows, macOS, or Linux. Then we could give you some pointers on how to do it. Best of course would be to get help from a trusted person by your side who can walk you through it.

BTW, do you have any information on the trojan? How is it called? When did you get the warning: at installation of MuseHub, or at some later time?

Good luck.

In reply to by johnweigand

OMG!! Really!! See below for the report from Malwarebytes. I have received a few of these this evening, never before. I don't know if this is linked but a few days ago a friend received an email from me that I didn't send. I NEVER click on links so have been scratching my head as to how this happened. An email from malwarebytes offered a breach report and found Onliner Spambot and Zynga. I spent yesterday changing Microsoft passwords but these alerts came this evening. I am running Windows 10 any help will be gratefully received

-Log Details-
Protection Event Date: 5/4/23
Protection Event Time: 8:14 PM
Log File: dc26a370-eaaf-11ed-ab28-c85b7643fb0d.json

-Software Information-
Components Version: 1.0.1991
Update Package Version: 1.0.69014
License: Premium

-System Information-
OS: Windows 10 (Build 19045.2846)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\Muse.MuseHub_1.0.1.693_x64__rb9pth70m6nz6\Muse.Service.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
IP Address:
Port: 6881
Type: Outbound
File: C:\Program Files\WindowsApps\Muse.MuseHub_1.0.1.693_x64__rb9pth70m6nz6\Muse.Service.exe


In reply to by tuttijones

I am not an expert on Malwarebytes, but it looks to me as if the attack was stopped by it. In that case you would be home free.

Yet, your report on mail never sent is disturbing. But then again, that one might be unrelated.

Incidentally, this is port 6881 which is a bittorrent port. It looks like not MuseHub itself was identified as a trojan, as I first understood you, but that a third party tried to use it to introduce a trojan to your system. Luckily it was caught. Not sure how to understand "outbound" here though.

Again, not an expert on Malwarebytes. What do others think?

In reply to by johnweigand

if you read up on this thread musehub is also doing a bunch of shady stuff like spiking cpu usage and even taking up graphic driver ram????!??!?!?!?!?!?
if its marked malware, its probably malware.
(remember, this software has root permission!)

In reply to by tuttijones

Correction, my previous post was based on the report you copied. I now see that you have also reports saying "compromised", and that you also were given the names Onliner Spambot and Zynga. Could it be that those are other security breaches, that were not blocked? That would be bad news. Do you still have that breach report?

In reply to by johnweigand

Sorry it's taken me so long to get back to you. This is response I had from Malwarebytes:

" From the information I found reported on the developer's forum below, this program appears to use peer-to-peer connections for updates.

With regards to the blocks for Musehub, it is not Musehub itself that is being detected and blocked, but instead a communication attempt by Muse.Service.exe, to a blocked server. Sometimes peer-to-peer services may contact servers that have also hosted malware at some point and may trigger a block detection when being accessed.

For example, the IP has been reported for abuse:

You may want to reach out to them to let them know and ask them why they are using servers known to be involved in abuse."

I'm getting a similar issue, but with Norton Antivirus. Below are the details for the curious:

Severity: High
Activity: An intrusion attempt by [PC Name] was blocked.
Date&Time: 5/16/2023 6:51:00 AM
Status: Blocked

IPS Alert Name: System Infected: Miner.Bitcoinminer Activity 6
Destination Address:, 55006
Traffic Description: TCP, Port 6881

Network traffic from [PC Name] matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISK\VOLUME3\WINDOWSAPPS\MUSE.MUSEHUB_1.0.0.624_X64__RB9PTH70M6NZ6/MUSE.SERVICE.EXE

I've had a similar problem happen, except with it detecting the trojan virus.
I don't know what to do, so I looked it up and found this.
I may make my own post about it, but currently I am just commenting on this one.
Please help, I'm clueless.

In reply to by Recorder-Clari…

It's up to you to decide whether you trust this MuseHub software with complete access to your computer or not. I can't tell you what to do, it's your decision.

Personally, I do not trust it for the reasons I stated above and until MuseHub becomes open-source and I can compile it myself (fat chance of that ever happening, it's proprietary for a rea$on), I will not take any chances with it. If that means I am denied access to the pretty soundfont and I have to endure the regression in playback quality, so be it. Even if it meant not being able to run MuseScore at all, I wouldn't run MuseHub on any of my computers. To me, that program looks extremely shady and untrustworthy.

But again, the decision is yours, do not blindly trust what other people (including me) say, but make your own informed decision.

Thanks a lot for that. My security policy under company says that I'm not allowed to use this software on corporate PC. so I removed it because it works as p2p and here are some details:
Musehub is so suspicious,
-Background service will run on startup, even if you have "start on boot" turned off.
-background service can not be killed
-background service send and receives data on all devices in your local network.
-sends data to "" in USA (Microsoft IP)
- sends data to ""

So it would be really nice to fix that problem somehow.

Do you still have an unanswered question? Please log in first to post your question.