{
	"id": "2bfd168b-48f7-4944-b9eb-3f04d5e86eff",
	"created_at": "2026-04-06T02:13:01.097482Z",
	"updated_at": "2026-04-10T13:12:33.961123Z",
	"deleted_at": null,
	"sha1_hash": "33b4583bf1cdd2911a489aa25407ec576f7ddbd1",
	"title": "Mac ThiefQuest malware may not be ransomware after all",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 670243,
	"plain_text": "Mac ThiefQuest malware may not be ransomware after all\r\nBy Thomas Reed\r\nPublished: 2020-07-06 · Archived: 2026-04-06 01:56:44 UTC\r\nEditor’s note: The original name for the malware, EvilQuest, has been changed due to a legitimate game of the\r\nsame name from 2012. The new name, ThiefQuest, is also more fitting for our updated understanding of the\r\nmalware.\r\nThe ThiefQuest malware, which was discovered last week, may not actually be ransomware according to new\r\nfindings. The behaviors that have been documented thus far are still all accurate, but we no longer believe that the\r\nransom is the actual goal of this malware.\r\nWhy? That’s a great question, and there have been a number of bread crumbs that have led us to this conclusion.\r\nUnlikely ransom behavior\r\nThe presence of keylogging and backdoor code, discovered by Patrick Wardle, is unusual in ransomware. Unheard\r\nof on the Mac, really, but then we haven’t seen much ransomware on this side of the street. This discovery\r\nindicated that there was something strange about this threat.\r\nThere are also several clues left right in the ransom note itself:\r\nThe first clue is that the price of decryption is $50 USD. That’s a strangely low price, and in USD rather than\r\nBitcoin, and the victim would be expected to calculate the correct amount of Bitcoin at the exchange rate at that\r\nmoment. This by itself, however, isn’t proof of anything.\r\nThere was another finding later noticed by Lawrence Abrams, of Bleeping Computer, who has more experience\r\nwith ransomware in the Windows world than most of the Mac researchers who were investigating. There was no\r\nhttps://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/\r\nPage 1 of 5\n\nemail address provided in the ransom note, so there’s no way to get in touch with the criminals behind the\r\nmalware to get your decryption key—and no way for them to contact you either.\r\nFurther, when ransom notes obtained from different systems were compared, it was discovered that the Bitcoin\r\naddress given is the same for everyone. This means that there would be no way for the criminals to verify who\r\npaid the ransom.\r\nFinally, although there is a decryption routine in the malware, findings by Patrick Wardle showed that it was not\r\ncalled anywhere in the malware code, meaning the function is orphaned and will never get executed.\r\nThis, plus the strange reluctance shown by the malware to actually encrypt anything, suggests that the ransom is\r\nmerely a distraction. (I was only able to get files encrypted once, and that was not the same install where the\r\nmalware was yelling at me every five minutes that it had encrypted my files when it actually hadn’t.)\r\nWhile looking at the network activity from an active install of ThiefQuest, I noticed that it was making literally\r\nhundreds of connections to the command and control (C2) server rapidly.\r\nLike a magician, distracting your eye with one hand while the other performs some slight of hand, this malware\r\nappears to be making a lot of noise to cover for what we now believe is its real goal: data exfiltration.\r\nExfiltration?\r\nFor those unfamiliar with the term, data exfiltration is simply data theft. It’s used to refer to the act of malware\r\ncollecting data from an infected machine and sending it to a server under the attacker’s control.\r\nIn the case of ThiefQuest, there was a Python script that was dropped on the system, but not reliably. (I didn’t get\r\nit in every installation.) That script was used to exfiltrate data.\r\nThis script scans through all the files in the /Users/ folder—the folder that contains all user data for all users on\r\nthe computer—for any files having certain extensions, such as .pdf, .doc, .jpg, etc. Some extensions in particular\r\nindicate points of interest for the malware, such as .pem, used for encryption keys, and .wallet, used for\r\ncryptocurrency wallets.\r\nThose files are then uploaded via unencrypted HTTP, one after another. Examining the network packets showed\r\nthat they contained a string with two pieces of information: a file path and a random string of characters.\r\nc=VGhpcyBpcyBhIHRlc3QK\u0026f=%2FUsers%2Ftest%2FDocuments%2Fpasswords.doc\r\nhttps://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/\r\nPage 2 of 5\n\nThe passwords.doc file this refers to was a decoy file that contained the text “This is a test.” The seemingly\r\nrandom string, VGhpcyBpcyBhIHRlc3QK , is a base64-encoded string that, when decoded, shows the content of the\r\nfile.\r\nThus, the malware was exfiltrating hundreds of files over unencrypted HTTP.\r\nSo what is this Mac malware?\r\nAccording to Abrams, such malware in the Windows world is known as a “wiper.” Such malware is often intended\r\nto steal data and wipe the system, in part or in whole, to cover its tracks.\r\nTypically, a wiper is deployed in targeted attacks against a particular organization. Sometimes, as has been the\r\ncase with malware such as the infamous NotPetya, that malware will spread beyond the target, or may\r\nintentionally be spread widely to hide who the target is.\r\nAt this point, there’s no indication that this is a targeted attack. It’s too all over the board so far, with random\r\nsightings all over the globe.\r\nThere is some indication that this may be just a proof-of-concept (PoC), such as the following comment in a\r\nPython script associated with the malware:\r\n# n__ature checking PoC # TODO: PoCs are great but this thing will # deliver much better when impleme\r\nI am always reluctant to believe what a piece of malware tells me. This may be a red herring, or may be an old\r\ncomment that was never removed, or perhaps that single Python script itself is the PoC. Still, the apparent lack of\r\npolish on this malware could mean that it was not really ready for release.\r\nAdditional capabilities\r\nAs mentioned previously, this malware appears to also include code for keylogging and for opening a backdoor to\r\ngive the attacker prolonged access to your Mac. This is unusual for ransomware, but not really at all unusual for\r\nour new understanding of the malware.\r\nMore unexpected, though, is the fact that the malware appears to include code that behaves like the textbook\r\ndefinition of a virus—something that has not been seen on Macs since the change from System 9 to Mac OS X\r\n10.0.\r\nWe previously noted that the malware injected itself into some files related to Google Software Update, and found\r\nthis rather puzzling, as Google Chrome will detect the changes and replace the tampered files with clean ones.\r\nHowever, new findings on viral behavior from Patrick Wardle revealed more information about how this is\r\nhappening.\r\nA virus is a specific type of malware that adds malicious code to legitimate apps or executables, as a\r\nway to spread or reinfect a machine.\r\nhttps://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/\r\nPage 3 of 5\n\nThe malware will actually search through the /Users/ folder looking for executable files. When it finds one, it will\r\nprepend malicious code to the beginning of the file. This means that when the file is executed, the malicious code\r\nis executed first. That code will then copy the legit file content into a new, invisible file and execute that.\r\nThe act of replacing or modifying a legit file with a malicious one, and then running legit code to make it look like\r\nnothing’s wrong, is not new on macOS. In fact, the first real Mac ransomware, KeRanger, was spread through a\r\nmodified copy of the Transmission torrent app. The attacker modified Transmission then hacked the Transmission\r\nweb site to spread the poisoned version of the app.\r\nHowever, until now, this had been done manually by an attacker in order to modify a legitimate app for malicious\r\ndistribution. This has not been done in an automated fashion by malware since the days of System 1 through\r\nSystem 9, when Mac viruses were last seen.\r\nWhat should I do if I’m infected?\r\nThe intent of the malware doesn’t change its removal, and Malwarebytes for Mac will still remove all known\r\ncomponents of the malware.\r\nHowever, there are some other considerations. It’s entirely possible that executable files on an infected Mac may\r\nhave been modified maliciously, and these changes may not be detected by antivirus software. Even if they are,\r\nremoval of those files may cause damage to software on your system. Thus, because of this danger and the likely\r\ndamage to user data, it may be prudent to restore an infected system from backups rather than trying to disinfect it.\r\nRecovering from data theft can be harder, in some ways, than recovering from ransomware. If you have good\r\nbackups, recovering from ransomware is relatively easy. There’s no taking back stolen data, though!\r\nIf you were infected, spend some time thinking about what data you have that may have been stolen. How you\r\nrespond depends on the data. If you had credit cards in the data in your user folder, you may want to consider\r\ncanceling them. If there was sensitive personal information, such as social security numbers, consider locking\r\nyour credit with credit agencies. If you had passwords, change those passwords wherever you use them.\r\nUltimately, though, personal information that has been stolen is forever in other hands. In cases of embarrassing or\r\ndamaging information that is leaked, there’s no recovery. If the attacker decides to do something malicious with\r\nthat—blackmail, for example—you can’t protect yourself.\r\nThus, it’s best not to rely on the FileVault encryption on your hard drive. That’s great for protecting your data if\r\nyour Mac gets stolen, but not so much against malware running on the machine. If you have any highly sensitive\r\ndata, be sure that it is encrypted independently somehow. Prevention is always the best protection.\r\nI don’t have backups! Can I get my data back?\r\nA decryptor for files that may have gotten encrypted is available on GitHub. It is a command-line tool, so if\r\nyou’ve had files encrypted, you’ll need to run the decryptor from the Terminal. If you aren’t sure what to do,\r\nplease feel free to seek help in the Malwarebytes forums.\r\nAbout the author\r\nhttps://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/\r\nPage 4 of 5\n\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/\r\nhttps://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/"
	],
	"report_names": [
		"mac-thiefquest-malware-may-not-be-ransomware-after-all"
	],
	"threat_actors": [],
	"ts_created_at": 1775441581,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/33b4583bf1cdd2911a489aa25407ec576f7ddbd1.pdf",
		"text": "https://archive.orkl.eu/33b4583bf1cdd2911a489aa25407ec576f7ddbd1.txt",
		"img": "https://archive.orkl.eu/33b4583bf1cdd2911a489aa25407ec576f7ddbd1.jpg"
	}
}