{
	"id": "b06705c8-239a-4d03-bc90-a6b587341412",
	"created_at": "2026-04-06T00:17:21.330565Z",
	"updated_at": "2026-04-10T13:12:21.542366Z",
	"deleted_at": null,
	"sha1_hash": "0614709c3342ee2f12104b1d54b78cacb0e5d56a",
	"title": "ThiefQuest ransomware is a file-stealing Mac wiper in disguise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2839262,
	"plain_text": "ThiefQuest ransomware is a file-stealing Mac wiper in disguise\r\nBy Sergiu Gatlan\r\nPublished: 2020-07-01 · Archived: 2026-04-05 18:24:32 UTC\r\nA new data wiper and info-stealer called ThiefQuest is using ransomware as a decoy to steal files from macOS users. The\r\nvictims get infected after downloading trojanized installers of popular apps from torrent trackers.\r\nWhile not common, ransomware has been known to target the macOS platform in the past, with KeRanger, FileCoder (aka\r\nFindzip), and Patcher being three other examples of malware designed to encrypt Mac systems.\r\nThiefQuest was first spotted by K7 Lab malware researcher Dinesh Devadoss and analyzed by Malwarebytes' Director of\r\nMac \u0026 Mobile Thomas Reed, Jamf Principal Security Researcher Patrick Wardle, and BleepingComputer's Lawrence\r\nAbrams, who found an interesting twist.\r\nhttps://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nInstalls a keylogger and opens a reverse shell\r\nDevadoss discovered that ThiefQuest includes the capability to check if it's running in a virtual machine (more of a sandbox\r\ncheck according to Wardle), and it features anti-debug capabilities.\r\nIt also checks for some common security tools (Little Snitch) and antimalware solutions (Kaspersky, Norton, Avast, DrWeb,\r\nMcaffee, Bitdefender, and Bullguard) and opens a reverse shell used for communication with its command-and-control (C2)\r\nserver as VMRay technical lead Felix Seele found.\r\nThe malware will connect to http://andrewka6.pythonanywhere[.]com/ret.txt to get the IP address of the C2 server to\r\ndownload further files and send data.\r\n\"Armed with these capabilities the attacker can maintain full control over an infected host,\" Wardle said.\r\nPirated app infected with ThiefQuest ransomware promoted on RUTracker (Malwarebytes)\r\nDistributed as pirated apps on torrent sites\r\nAs Reed found after examining the ransomware, ThiefQuest is dropped using infected installers wrapping legitimate\r\nsoftware including but not limited to Little Snitch, Ableton, and Mixed in Key.\r\nEven though the malicious .PKG installers downloaded from popular torrent sites are code signed and look just as any\r\nlegitimate installer would when launched, they are distributed as DMG files and don't have a custom icon, a warning sign\r\nthat something is not quite right for many macOS users.\r\nReed also found that, in the case of one of the ThiefQuest samples analyzed, the packages of compressed installer files\r\ninclude the pirated apps' original installers and uninstallers, together with a malicious patch binary and a post-install script\r\nused to launch the installer and launch the malware.\r\nThiefQuest also copies itself into ~/Library/AppQuest/com.apple.questd and creates a launch agent property list at\r\n~/Library/LaunchAgents/com.apple.questd.plist with a RunAtLoad key set to true to automatically get launched whenever\r\nthe victim logs into the system.\r\nAfter gaining persistence on the infected device, ThiefQuest launches a configured copy of itself and starts encrypting files\r\nappending a BEBABEDD marker at the end.\r\nhttps://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nPage 3 of 8\n\nUnlike Windows ransomware, ThiefQuest has issues starting to encrypt files. When it does, it isn't picky.\r\nIt seems to be locking files randomly, generating various issues on the compromised system from encrypting the login\r\nkeychain to resetting the Dock to the default look, and causing Finder freezes.\r\n\"Once file encryption is complete, it creates a text file named READ_ME_NOW.txt with the ransom instructions,\" Wardle\r\nadded, and it will also display and read a modal prompt using macOS' text-to-speech feature letting the users know that their\r\ndocuments were encrypted.\r\nThe victims are asked to pay a $50 ransom in bitcoins within three days (72 hours) to recover their encrypted files and are\r\ndirected to read a ransom note saved on their desktops.\r\nSuspiciously, ThiefQuest is using the same static Bitcoin address for all victims and does not contain an email address to\r\ncontact after payment has been made.\r\nThis makes it impossible for the attackers to identify victims who paid the ransom, and for a victim to contact the\r\nransomware operators for a decryptor.\r\nCombining a static Bitcoin address with a lack of contact methods is a strong indication that the ransomware is a wiper\r\ninstead.\r\nWipers, though, are usually used as a cover for some other malicious activity.\r\nWiper malware used for data theft\r\nAfter the malware was analyzed by BleepingComputer's Lawrence Abrams, we believe that the ransomware is simply a\r\ndecoy for the true purpose of this malware.\r\nhttps://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nPage 4 of 8\n\nThat is to search for and steal certain file types from the infected computer.\r\nWhen the malware is executed on a Mac, it will execute shell commands that download Python dependencies, Python scripts\r\ndisguised as GIF files, and then run them.\r\nExecuted shell commands\r\nSource: BleepingComputer\r\nThe tasks conducted by the above command are:\r\nDelete the /Users/user1/client/exec.command and /Users/user1/client/click.js files.\r\nDownload and install PIP\r\nInstall the Python 'requests' dependency\r\nDownload p.gif, which is a Python file, and execute it.\r\nDownload pct.gif, which is another Python file, and execute it.\r\nThe p.gif file is a heavily obfuscated Python script, and we have not been able to determine what its functionality is.\r\nHeavily obfuscated Python script\r\nSource: BleepingComputer\r\nOf particular interest in the above file is the comment:\r\n# n__ature checking PoC\r\n# TODO: PoCs are great but this thing will\r\n# deliver much better when implemented in\r\n# production\r\nThe pct.gif file is not obfuscated and is clearly a data exfiltration script that steals files under the /Users folder and sends it to\r\na remote URL.\r\nhttps://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nPage 5 of 8\n\nData exfiltration script\r\nSource: BleepingComputer\r\nWhen executed, this script will search for any files under the /Users folder that contain the following extensions\r\n.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .\r\nFor any files that matches the search criteria, it will base64 encode the contents of the file and send it and the path of the file\r\nback to the threat actors Command \u0026 Control server.\r\nThese files include text files, images, Word documents, SSL certificates, code-signing certificates, source code, projects,\r\nbackups, spreadsheets, presentations, databases, and cryptocurrency wallets.\r\nTo illustrate how this may look on the other end for the threat actor, BleepingComputer created a proof-of-concept script that\r\naccepted the requests from the above data-stealing script.\r\nPoC of receiving of stolen files\r\nSource: BleepingComputer\r\nWhile our PoC only logs the contents of a file to our log file, it could have written each file to a folder matching the victim's\r\nIP address.\r\nOne interesting feature of this script is that it will not transfer any files greater than 800KB in size.\r\nAdvanced Intel's Vitali Kremez, who BleepingComputer shared the script with, agreed with our findings and pointed out\r\nthat many of the searched file types are generally over 800KB in size.\r\nWhat victims should do?\r\nAs you can see, the ThiefQuest wiper is much more damaging than first thought, as not only will data be encrypted, but it\r\nmay not even be decryptable if a victim pays.\r\nTo make matters worse, the malware will steal files from your computer that contain sensitive information that could be\r\nused for a variety of malicious purposes, including identity theft, password harvesting, stealing of cryptocurrency, and\r\nstealing private security keys and certificates.\r\nhttps://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nPage 6 of 8\n\nIf you were infected with this malware, you should assume any files that match the listed extensions have been stolen or\r\ncompromised in some manner.\r\nWhile it is not known if a decryptor can be made, users can install Wardle's free RansomWhere utility, which detects\r\nThiefQuest's attempts to gain persistence and allows them to terminate it once it starts locking their files.\r\nReed also says that Malwarebytes for Mac is capable of detecting this new macOS ransomware as Ransom.OSX.ThiefQuest\r\nand will remove it from infected Macs.\r\nAt the moment, researchers are still looking into what encryption ThiefQuest uses to encrypt its victims' files and if there are\r\nany weaknesses in the encryption.\r\nUpdate July 02, 09:00 EDT: We updated the title and the article to reflect the malware's name change to ThiefQuest from\r\nEvilQuest (a name used by Chaosoft Games Xbox 360 and PC video game since 2012.) \r\nIOCs\r\nNetwork traffic:\r\nhttp://andrewka6.pythonanywhere.com/ret.txt\r\nhttp://167.71.237.219\r\nRansom note text:\r\nYOUR IMPORTANT FILES ARE ENCRYPTED\r\nMany of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted.\r\nWe use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the ke\r\nAnyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power\r\nIn order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwis\r\nPayment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have t\r\n 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\r\nDecryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours de\r\nTHIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE\r\nhttps://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nhttps://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/"
	],
	"report_names": [
		"evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434641,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0614709c3342ee2f12104b1d54b78cacb0e5d56a.pdf",
		"text": "https://archive.orkl.eu/0614709c3342ee2f12104b1d54b78cacb0e5d56a.txt",
		"img": "https://archive.orkl.eu/0614709c3342ee2f12104b1d54b78cacb0e5d56a.jpg"
	}
}