{
	"id": "c3835fc9-c9e1-4bf1-9dcb-2391e0d27164",
	"created_at": "2026-04-06T00:17:20.481261Z",
	"updated_at": "2026-04-10T03:21:37.519335Z",
	"deleted_at": null,
	"sha1_hash": "bc49ff6322aba04ffde1cfecd3765ad5f3bfe348",
	"title": "\"EvilQuest\" Rolls Ransomware, Spyware \u0026 Data Theft Into One",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6597685,
	"plain_text": "\"EvilQuest\" Rolls Ransomware, Spyware \u0026 Data Theft Into One\r\nBy Phil Stokes\r\nPublished: 2020-07-08 · Archived: 2026-04-05 18:21:43 UTC\r\nThere has, unsurprisingly, been a great deal of interest in the news that a new macOS threat with ransomware\r\ncapabilities is on the loose. First brought to the macOS community’s attention by malware researcher Dinesh\r\nDevadoss, this threat has been receiving intense scrutiny from security researchers, with some excellent work\r\ndone by researchers Scott Knight, Patrick Wardle and our own SentinelLabs team. As it turns out, this threat is\r\nmuch more than just a novel piece of ransomware, is under active development, and is one of the more complex\r\nthreats to be seen so far targeting the Mac platform. In this post, we’ll cover what is known to date and bring you\r\nup-to-speed on the latest iterations.\r\nThe Many Names of EvilQuest, ThiefQuest, and MacRansom.K\r\nThe threat was initially labelled “EvilQuest” by researchers at Malwarebytes, who then re-named it a few days\r\nlater as “ThiefQuest”. Aside from the two names they suggested, many engines on VT also flag it as\r\nMacRansom.K.\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 1 of 10\n\nThis has led to some confusion, unfortunately, both about the threat and its capabilities.\r\nWhile Mac.Ransom.K does conform to a recognized convention (platform/type/variant), it’s problematic because\r\nthe threat is not only, and perhaps not even primarily, a ransomware threat. As malware authors on all platforms\r\nare increasingly reusing code to provide multiple features, classifying by threat type may not be all that helpful.\r\nA good malware naming convention would ideally group malware samples by common characteristics. On that\r\nscore, the most common characteristic in the samples seen so far is the __cstring literal “toidievitceffe”, which\r\nalong with other strings like “rennur.c” (c.runner) is clearly the reverse of otherwise recognizable English\r\nlanguage words:\r\necho 'toidievitceffe' | rev\r\neffectiveidiot\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 2 of 10\n\nMoreover, we see the developers clearly used “toidievitceffe” as the name of their Xcode project.\r\nOther interesting reversed strings here include “naughtycuckoo”, “keylogger” and “filewatcher”, which as we will\r\nexplain further below may give a better insight into the threat actor’s true motivation.\r\nIn some samples, the reversed “effectiveidiot” string occurs over 60 times, which might suggest the malware\r\nauthors themselves were rather fond of the idea that security researchers would hit on this for a name. Here we use\r\nthe excellent floss tool to extract strings as an alternative to the native strings utility:\r\nMoreover, string obfuscation in recent samples shows that the developers deliberately planted the user name\r\n“drozdovsky” and the build name ‘toidievitceffe”, no doubt in an attempt to misdirect attribution.\r\nWhile it could be argued that malware naming conventions aren’t vitally important, they are nevertheless helpful,\r\nparticularly for researchers and others tracking evolving public discussion and research. Despite there being a\r\nstrong argument for calling this new threat “OSX.EffectiveIdiot”, we suspect that this naming muddle is probably\r\na bed that cannot be unmade. “EvilQuest/ThiefQuest” will likely stick simply because of its widespread initial use\r\nin the media, and who doesn’t like a thief or a good bit of evil in a headline anyway?\r\nBroken Crypto: Ransomware Capabilities, Just for Show?\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 3 of 10\n\nAs the initial excitement around “EvilQuest/ThiefQuest” stemmed from it being a novel macOS ransomware\r\nthreat, let’s look at that first. Ransomware has been pillaging the Windows world of late, but this is only the third\r\nknown ‘in the wild’ ransomware targeting macOS. That in itself is odd, since Macs are now widely used in\r\nenterprise environments, particularly by C-Suite staff and by developers, both juicy targets for threat actors. Thus,\r\nappearance of what looks like a Mac ransomware is both novel and, in a sense, not unexpected.\r\nHowever, as ransomware goes, “EvilQuest/ThiefQuest” fails pretty much on any measure of success. First and\r\nforemost, if you’re going to extort money by encrypting people’s files, you are going to want to make your\r\nencryption unbreakable. Crypto is hard, and about the one thing everyone who is smart enough to do it will tell\r\nyou is this: don’t try and roll your own, because you will inevitably do it wrong. Successful ransomware operators\r\nare smart enough to follow that advice and will use established encryption algorithms, typically with at least some\r\ncomponent being asymmetric; in other words, requiring access to a private key held only by the attacker.\r\nOur “EffectiveIdiot” developers chose to forego that option, and opted for a symmetric key encryption, meaning\r\nthe same key that encrypts a file is used to decrypt it. Even better, as our research lead at SentinelLabs Jason\r\nReaves discovered:\r\n“…the clear text key used for encoding the file encryption key ends up being appended to the encoded file\r\nencryption key. Taking a look at a completely encrypted file shows that a block of data has been appended to it.”\r\nThis allowed Jason and the SentinelLabs team to create a public decryptor that can be used by anyone unfortunate\r\nenough to have been a victim of this malware. This video shows how to use it:\r\nAside from making the crypto reasonably bulletproof, a ransomware operator will want a good reward for their\r\neffort. Perhaps the first hint of something amiss with the “EvilQuest/ThiefQuest” malware was the ransom note\r\nitself.\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 4 of 10\n\nTwo things stand out: the incredibly low amount of ransom, and the fact that there is no email or other means of\r\ncontact for the victim to communicate with the attacker. Again, using the model from the Windows world,\r\nransomware operators have become very slick and efficient at pushing the right buttons to get people to pay. These\r\ninclude a mixture of threats and reassurance, and even levels of customer support. Not so here. The ransom note\r\namounts to: ‘send us your money; we’ll be in touch”, only there’s no way for you to tell the threat actors that you\r\npaid; no request for your contact address; and no request for a sample encrypted file or any other identifying\r\nfactor. The classic brush-off “Don’t call us, we’ll call you” springs to mind here.\r\nUnsurprisingly, the threat actors have not been amassing a fortune. To date, the one known BitCoin address\r\ncommon to all the samples has had exactly zero transactions.\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 5 of 10\n\nFinally, on the ransomware component, SentinelLabs also noted that the decryption routine, uncarve_target ,\r\nhas no callers in the code, suggesting either that the functionality is incomplete or that the authors decided that\r\ndecryption wasn’t something they ever intended to offer (in which case, we could speculate that presence of the\r\ndecryption routine in the code is an artifact of earlier testing).\r\nWho Shares? A Data Thief in the Shared Folder\r\nAs details such as the above have emerged, attention has turned to the malware’s other capabilities, in particular\r\nthe fact that it downloads and executes three Python scripts from the /Users/Shared folder. These scripts are\r\nintended to search for and exfiltrate files with particular extensions:\r\nThe scripts vary in name across samples, but initially the following short names were used:\r\n/Users/Shared/.dr\r\n/Users/Shared/.p\r\n/Users/Shared/.gp\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 6 of 10\n\nMoreover, there’s more to the malware’s data stealing capabilities locked inside the invisible Mach-O binaries\r\ndeposited in the user’s Library folder.\r\nNote the following encrypted strings:\r\nWe can use a tool developed by fellow macOS researcher Scott Knight to decrypt these, which reveals the\r\nfollowing in plain text:\r\nbytearray(b'*id_rsa*/ix00')\r\nbytearray(b'*.pem/ix00')\r\nbytearray(b'*.ppk/ix00')\r\nbytearray(b'known_hosts/ix00')\r\nbytearray(b'*.ca-bundle/ix00')\r\nIt would appear that the malware is seeking SSH keys and trusted certificates in order to facilitate the ability to log\r\nin remotely and manipulate web browsers to trust sites without throwing security warnings.\r\nAs other researchers have noted, there is also ample evidence of keylogging functionality through the existence of\r\nAPI calls targeting low-level hardware events like key presses. Note the first half of the function name, reversed,\r\nand with a possible typo for “file” as “klgr_flie”:\r\nIt’s also worth noting that unlike wiper malware and other aggressive ransomware variants on other platforms, the\r\nransomware component doesn’t really interfere with the user’s ongoing use of the device. A simple osascript-generated alert dialog informs the user of the situation:\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 7 of 10\n\nPressing “OK” dismisses the dialog and allows the user to continue using the machine, which is indeed handy for\r\nthe spyware components!\r\nNew Variant Calls Out macOS Researcher\r\nA good deal of the early technical details were published by macOS researcher Patrick Wardle, and rather than\r\nrepeat all the details here we refer you to his excellent posts here on the early “AppQuest” sample first spotted last\r\nweek. Wardle suggests the malware has viral capabilities and there are also other suggestions that the malware\r\nattempts to infect existing executables in the User’s home folder, although that behaviour was not seen in our\r\ntests.\r\nSince the earlier research, new variants have appeared with updated hardcoded strings and paths. In particular,\r\nthere is a nod to Wardle’s research in the method “react_ping”, which contains the encrypted string “Hello\r\nPatrick”.\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 8 of 10\n\nThe recent version also updates the hardcoded C2 address from the earlier 167.71.237.219 to 159.65.147.28\r\nand includes Wardle’s “Knock Knock” reporting tool in its list of software to check for:\r\nOther new changes include using “abtpd” for the executable label. There are suggestions in the code that “.ab**d”\r\nmay be a variant across different installs, but we have not confirmed that at the time of writing. Instead of using\r\nthe folder name “AppQuest”, the persistence agent now points to an attacker-created folder named “PrivateSync”.\r\nSimilarly, in the early samples, an invisible, plain text file containing a 43-byte string was dropped at\r\n/var/root/ and /Users/User1/ with the name “.ncspot”. In the latest sample we tested, the spot file dropped\r\nin the same locations but now with the name “.aespot”.\r\nBased on the rapid iteration so far, we would expect all these details to change within days, if not hours.\r\nProtecting Against EvilQuest/ThiefQuest macOS Malware\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 9 of 10\n\nThe SentinelOne platform effectively protects your enterprise against EvilQuest/ThiefQuest.\r\nFor those not protected by SentinelOne, if you have fallen victim to this malware we recommend a complete\r\nrestore from a known-good backup. Also, due to the keylogging and other spyware functions, it would be\r\nadvisable to change any passwords and reset SSH and certificate trust credentials.\r\nIf you have files encrypted by EvilQuest, our public decryptor tool is available from here.\r\nConclusion\r\nCall it “EffectiveIdiot”, “ThiefQuest” or “EvilQuest”, the appearance of this combination ransomware-data thief-spyware is a significant development. Not only did it catch a lot of security tools unaware, it may have also\r\nwrong-footed victims into continuing to use their infected machines and leak vital data while they sought a\r\nsolution to the apparent problem of encrypted files. As ever, we urge macOS users to heed the warning that\r\nmalware is no longer the sole preserve of Windows environments and to ensure they have adequate security.\r\nSample Hashes\r\n06974e23a3bf303f75c754156f36f57b960f0df79a38407dfdef9a1c55bf8bff Mach-O\r\nd18daea336889f5d7c8bd16a4d6358ddb315766fa21751db7d41f0839081aee2 Mach-O\r\nc5a77de3f55cacc3dc412e2325637ca7a2c36b1f4d75324be8833465fd1383d3 Mach-O\r\nIndicators of Compromise\r\n/var/root/.aespot\r\n~/.aespot\r\n~/Library/LaunchAgents/com.apple.abtpd.plist\r\n~/Library/PrivateSync/com.abtpd.questd\r\n/Library/LaunchDaemons/com.apple.abtpd.plist\r\n/Library/PrivateSync/com.abtpd.questd\r\nSource: https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nhttps://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/"
	],
	"report_names": [
		"evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one"
	],
	"threat_actors": [],
	"ts_created_at": 1775434640,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc49ff6322aba04ffde1cfecd3765ad5f3bfe348.pdf",
		"text": "https://archive.orkl.eu/bc49ff6322aba04ffde1cfecd3765ad5f3bfe348.txt",
		"img": "https://archive.orkl.eu/bc49ff6322aba04ffde1cfecd3765ad5f3bfe348.jpg"
	}
}