The fast evolution of macOS malware!

It was observed in late June this year that the malware EvilQuest (also known as ThiefQuest), has been evolving pretty fast. It has become more sinister than earlier even after the ransomware (not anymore) has removed its file encryption capabilities.

Variation of the EvilQuest/ThiefQuest

Just days after the detection of older variants, expert researchers have found some improved EvilQuest/ThiefQuest variants with stronger capabilities.

A new routine for computing and calling the new functions’ addresses has been implemented by the malware authors. These new and different variants have even obfuscated the function names to make malware tracing even more difficult when it was compared with earlier iterations of the malware.  

According to experts “The malware has included new anti-analysis functions (some empty and some functioning) for condition checks like getting the MAC address, CPU count, and physical memory of the machine”.

More security tools have also been included by many security solution providers such as

  • Avast Bitdefender
  • Bullguard
  • DrWeb
  • Kaspersky
  • KnockKnock
  • Little Snitch
  • McAfee
  • Norton and
  • Reiley

To the list of check and termination processes.

The history of Evolution

According to the outcome of the authors of the malware, it seems like they are continuously improving EvilQuest/ThiefQuest. According to the research, the malware’s evolution looks as follows:

  • ThiefQuest was initially a backdoor (June 4, 2020 sample) with the capability to modify the victim’s host file. Later it adopted File exfiltration capabilities (June 26, 2020 sample), Ransomware behavior, and File infector behavior (July 2, 2020 sample).
  • In the latest versions, the malware continued with the File infector capability and removed the Ransomware capability (July 3, 2020 sample).

In mid-July, ThiefQuest operators used pirated software installers (including Little Snitch, Ableton, and Mixed In Key), and later it used keylogging and backdoor code in its ransomware strain to hide its true


With high awareness of EvilQuest/ThiefQuest, it is certain that attackers have increased interest in targeting macOS. EvilQuest/ThiefQuest operators are making it an even more dangerous threat with such attacks.

Saif Ahmed Bhuiyan

Free Subscription

The most comprehensive Cybersecurity agenda for leading industry executives

Connect and share niched and unique knowledge

Meet our 15-year experience in addressing international cybersecurity challenges

Register for The Conference
25th of May 2023