EvilQuest

Also known as: ThiefQuest, OSX.EvilQuest

What is EvilQuest?

EvilQuest (also called ThiefQuest) is a macOS ransomware that combines file encryption with keylogging and cryptocurrency wallet theft. Distributed through pirated macOS software on torrent sites, it was notable for being one of the few ransomware families specifically targeting Mac users. Its encryption was later found to be reversible.

How It Spreads

Trojanized pirated macOS applications on torrent sites

Fake installers for Little Snitch, Mixed In Key, and Ableton Live

Software cracks and keygens shared on file-sharing forums

Malicious PKG files bundled with seemingly legitimate tools

Signs of Infection

Files encrypted with a ransom note demanding Bitcoin payment

Recently installed pirated or cracked macOS software

System sluggishness and high CPU usage from encryption processes

Unknown processes keylogging or accessing cryptocurrency wallet files

How to Remove EvilQuest

Do not pay the ransom

EvilQuest's encryption is known to be reversible. Security researchers have released free decryption tools. Paying the ransom funds criminal operations and does not guarantee file recovery.

Boot into Safe Mode

Restart your Mac and hold the Shift key to boot into Safe Mode, which prevents the malware's LaunchAgent from executing at startup.

Remove the malware

Delete the pirated application that served as the infection vector. Remove the malware's persistence plist from ~/Library/LaunchAgents and its binary from ~/Library/mixednkey or similar hidden directories.

Decrypt your files

Use the free decryption tool released by SentinelOne to recover encrypted files. The tool exploits weaknesses in EvilQuest's encryption implementation.

Scan and verify with CoreLock

Run a full CoreLock scan to ensure all components are removed, including the keylogger and crypto-stealer modules that operate independently of the ransomware component.

Prevention Tips

Never download pirated software — it is the primary distribution method for Mac malware

Maintain regular Time Machine backups to recover from any ransomware attack

Verify application code signatures before opening any installer

Use CoreLock's process monitoring to detect encryption behavior patterns in real time

How CoreLock Detects EvilQuest

Real-time Detection

CoreLock detects EvilQuest through behavioral analysis of mass file encryption patterns, YARA rules matching its unique ransomware payload structure, process monitoring identifying keylogger and crypto-stealer modules, and entropy analysis flagging rapidly encrypted file sequences.

Related Threats

KeRanger

Ransomware — KeRanger was the first fully functional ransomware targeting macOS, discovered i...

Atomic Stealer

Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...

Lazarus Group

Trojan — Lazarus Group is a North Korean state-sponsored APT that has increasingly target...

Frequently Asked Questions

Can I decrypt files encrypted by EvilQuest?

Yes. Security researchers at SentinelOne discovered weaknesses in EvilQuest's encryption and released a free decryption tool. Do not pay the ransom — the encryption is reversible without payment.

Is EvilQuest still active?

EvilQuest is no longer actively distributed, but trojanized pirated software containing it may still circulate on older torrent sites. Its techniques influenced later macOS threats that combine ransomware with information stealing.

Does EvilQuest only encrypt files?

No. EvilQuest is a triple-threat: it encrypts files for ransom, installs a keylogger to capture passwords, and steals cryptocurrency wallet files. Even if you decrypt your files, the keylogger component may have already captured sensitive data.

Protect Your Mac from EvilQuest

Download CoreLock to detect and remove EvilQuest and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.

Download CoreLock Free

Available for macOS and Windows