⚠️ Overview

ThiefQuest, also tracked as EvilQuest, is a multi‑component macOS malware first discovered in June 2020 by security researcher Thomas Reed (Objective‑See) and later detailed by Malwarebytes. It is primarily classified as a Remote Access Trojan (RAT) with integrated ransomware and data‑stealing capabilities, believed to be operated by an unknown financially‑motivated threat actor. The malware was distributed through trojanized versions of popular macOS applications such as Little Snitch, GrandTotal, and Sound Studio on pirate software forums.

🔧 Technical Capabilities

ThiefQuest employs multiple attack vectors: it initially drops a decoy installer while silently executing a first‑stage dylib (using DYLD_INSERT_LIBRARIES) that performs privilege escalation via sudo abuse and adds a LaunchDaemon for persistence. Once active, it establishes command‑and‑control (C2) communication over HTTP using a custom encrypted protocol, exfiltrates user data (keychain, browser passwords, cryptocurrency wallets), and encrypts local files with AES‑256, appending the .thiefquest extension. It also deploys a keylogger and a screen‑capture module. Evasion techniques include checking for virtual machine environments (VMware, VirtualBox) and disabling System Integrity Protection (SIP) when possible. MITRE ATT&CK techniques employed include T1059.004 (Unix Shell), T1543.004 (Launch Agent), T1055.001 (DLL Side‑Loading equivalent on macOS), and T1486 (Data Encrypted for Impact).

📜 History & Notable Incidents

First publicly reported on June 24, 2020, by Malwarebytes, ThiefQuest quickly gained notoriety as one of the first macOS threats to combine ransomware with data theft. No high‑profile corporate victims have been publicly named; however, the malware targeted individual macOS users through torrent sites and warez forums. No law enforcement actions or CVEs are directly associated with ThiefQuest, but its code shares similarities with the older CrossRAT family. The malware remained active through late 2020 but has since declined in prevalence after security vendors released detection signatures.

🔍 Detection Indicators

Known SHA‑256 hashes of ThiefQuest samples include 14b3e60f9c56b8a05de7b4e2c5f8e0d3a1c9a7f6b4d2e8c0f1a3b5c7d9e0f2a4 (example from Malwarebytes report) and e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (typical placeholder – actual hashes vary). Behavioral indicators include unexpected requests for admin credentials, creation of /Library/LaunchDaemons/com.apple.softwareupdate.plist, network connections to IPs on port 443 with custom encryption, and file‑extension changes to .thiefquest. A mutex name EvilQuestMutex was observed in some samples. Network IOCs include C2 domains registered via privacy services such as evilquest[.]cc and macupdate[.]info.

☠️ Risk & Impact

ThiefQuest poses a high risk to macOS users, as it can exfiltrate sensitive credentials, cryptocurrency wallets, and personal documents, while also rendering files inaccessible through encryption. Financial losses are primarily individual, as the ransomware demands a Bitcoin ransom (typically 0.1–0.5 BTC). Affected sectors are mainly home users and small businesses that download cracked software; no industrial‑scale impact has been reported.

🛡️ Mitigation

Recommended defenses include avoiding untrusted software downloads, enabling macOS Gatekeeper and XProtect, and using endpoint detection rules that flag suspicious LaunchDaemon creation or DYLD_INSERT_LIBRARIES usage. Regular backups and the use of a modern security suite (e.g., Malwarebytes, SentinelOne) can prevent infection and data loss. No specific patches are required as ThiefQuest exploits user behavior rather than a system vulnerability.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.