EvilQuest Ransomware (macOS)

EvilQuest: Mac Ransomware Masquerading as Pirated Software with Spyware Features

EvilQuest is a macOS ransomware that first appeared in 2020, often bundled with cracked software downloads from torrent sites. Unlike traditional ransomware that only encrypts files, EvilQuest also installs keyloggers, reverse shells, and data-stealing spyware, giving attackers long-term access to the infected system. Its use of pirated apps as a delivery vector and its hybrid payload make it one of the more dangerous examples of macOS malware to date.

Introduction to EvilQuest

EvilQuest, also seen under names like ThiefQuest, spreads by posing as pirated versions of popular Mac apps such as Little Snitch or Ableton Live. Once executed, it encrypts files across the system and demands a ransom, while quietly launching spyware components in the background. These features suggest that EvilQuest was built not only for extortion, but also for persistent surveillance and data theft.

---

1. How EvilQuest Works

Infection Mechanism:
EvilQuest is delivered through:

• Cracked applications from torrent or warez sites
• Fake installers repackaged with the malicious payload
• Disguised as legitimate software but requires admin privileges to run

Payload Execution:
After execution, EvilQuest:

• Encrypts user files and displays a ransom note
• Installs a keylogger and reverse shell for remote access
• Modifies system files and hides in LaunchAgents or system folders
• Steals files and data, potentially uploading them to attacker-controlled servers

---

2. History and Notable Campaigns

Origin and Discovery:
First reported in June 2020 by Malwarebytes and Patrick Wardle, EvilQuest was one of the few ransomware families designed specifically for macOS. Its sudden appearance and dual-purpose functionality raised concerns in the Apple security community.

Notable Campaigns:

• Spread heavily through pirated macOS software on torrent platforms
• Some variants used obfuscated bash scripts to complicate analysis
• No confirmed decryptor was ever released, making recovery difficult without backups

---

3. Targets and Impact

Targeted Victims and Sectors:

• Mac users seeking pirated software
• Primarily individual users, not known to have targeted corporate networks
• Victims who disabled Gatekeeper or ignored installer warnings

Consequences:

• File encryption with no reliable decryption option
• Installation of spyware capable of capturing passwords and keystrokes
• Unauthorized remote access to the system
• Permanent data loss for users without backups

---

4. Technical Details

Payload Capabilities:

• Encrypts files with a random key, often not stored or recoverable
• Displays a ransom note in a text file
• Installs:
  • Keylogger
  • Reverse shell for remote access
  • File exfiltration tool
• Creates persistence via LaunchAgents and scripts

Evasion Techniques:

• Distributed in cracked apps, exploiting user trust
• May disable security tools or alter system settings
• Hides components under misleading file names
• Uses obfuscation and packers to complicate static analysis

---

5. Preventing EvilQuest Infections

Best Practices:

• Never download or run pirated software
• Only install apps from the Mac App Store or trusted developers
• Keep macOS and all apps updated
• Enable Gatekeeper and leave it active
• Use a standard user account for daily use — not admin

Recommended Security Tools:

• macOS-compatible antivirus tools (e.g., Malwarebytes, Intego)
• Tools that monitor LaunchAgents and unusual network behavior
• Ransomware-specific protection solutions with behavioral detection

---

6. Detecting and Removing EvilQuest

Indicators of Compromise (IoCs):

• Unusual apps or processes running from /Users/Shared/ or /Library/LaunchAgents/
• Unexpected file encryption and ransom note (e.g., READ_ME_NOW.txt)
• Spike in CPU usage or unusual outbound traffic
• Suspicious hidden files or renamed system binaries

Removal Steps:

1. Boot into Safe Mode and disconnect from the internet
2. Remove malicious apps, LaunchAgents, and persistence scripts
3. Use a trusted malware scanner to confirm full cleanup
4. Recover data from Time Machine or other backups if available
5. If no backup exists, data may be permanently lost

Professional Help:
For encrypted systems or suspected data exfiltration, seek assistance from a Mac forensics expert or ransomware response team.

---

7. Response to an EvilQuest Infection

Immediate Steps:

• Disconnect the device from all networks
• Do not pay the ransom — no verified decryptor exists
• Identify and isolate the malware
• Restore files from clean backups
• Reset all passwords accessed from the infected machine

---

8. Legal and Ethical Implications

Legal Considerations:
Victims may face data loss, but use of pirated software complicates reporting and may expose them to legal liability. The malware itself may also violate local or international laws on digital extortion and unauthorized surveillance.

Ethical Considerations:
EvilQuest highlights the dangers of piracy, not just legally, but as a serious security risk. Its use of spyware alongside ransomware shows a deliberate attempt to exploit user trust and privacy.

---

9. Resources and References

• Malwarebytes: EvilQuest
• Malwarebytes Labs: Mac ThiefQuest malware may not be ransomware after all
• Patrick Wardle: Objective-See blog on EvilQuest analysis
  • OSX.EvilQuest Uncovered: Part I
  • OSX.EvilQuest Uncovered: Part II
• SentinelOne Blog: EvilQuest Rolls Ransomware, Spyware & Data Theft Into One
• MITRE ATT&CK Techniques:
  • T1486 (Data Encrypted for Impact)
  • T1056.001 (Keylogging)
  • T1219 (Remote Access Tools)
  • T1204.002 (User Execution: Malicious File)

---

10. FAQs about EvilQuest

Q: What is EvilQuest malware?
A macOS ransomware that encrypts files and installs spyware, spread through pirated software.

Q: How does it spread?
Through cracked or fake installers downloaded from unofficial sources.

Q: What makes it unique?
It combines ransomware with surveillance tools like keyloggers and reverse shells.

Q: Can I recover encrypted files?
Not reliably — unless you have a backup, recovery is unlikely.

---

11. Conclusion

EvilQuest was a wake-up call for macOS users, proving that ransomware and spyware aren’t just Windows problems. Its use of pirated apps to gain access, combined with its aggressive surveillance features, makes it one of the more sophisticated Mac malware strains in recent years. Avoiding untrusted downloads and enabling system protections is essential to staying safe.

 

 

« Back to the Virus Information Library

« Back to the Security Center