Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Threat Research Knowledge Base Threats EvilQuest
EvilQuest
Description
EvilQuest, also known as ThiefQuest, is a ransomware variant that targets macOS systems. EvilQuest also includes some information stealing and data exfiltration features. It is actively being enhanced with new features to avoid detection.
Variant Names
N/A
Alternative Names
- ThiefQuest
- FileCoder
- MacRansom
- ThifQseut
Country of origin
Unknown
Symptoms
You might observe the following artifacts associated with this threat:
- Files rendered inaccessible with altered extensions.
- Presence of a ransom note demanding payment for file decryption.
- Unexpected system behavior, such as frequent crashes or degraded performance.
- Unauthorized network activity indicating potential data exfiltration.
Technical Breakdown
Upon execution, the malware performs the following actions:
- Persistence Mechanism: Installs itself as a launch item, ensuring execution upon subsequent user logins.
- File Encryption: Encrypts system files and displays a ransom note demanding payment for decryption.
- Data Exfiltration: Scans the system for sensitive information, including certificates, keys, and cryptocurrency wallets, and transmits them to the attacker's server.
- Remote Control Capabilities: Allows attackers to execute arbitrary scripts, log keystrokes, and exfiltrate additional data.
Notably, EvilQuest's ransomware functionality may serve as a decoy, with its primary objective being data theft and establishing persistent remote access.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.
Learn more about it
Apple’s Macs Have Long Escaped Ransomware. That May Be Changing
EvilQuest, also known as ThiefQuest, is a ransomware variant that targets macOS systems. EvilQuest also includes some information stealing and data exfiltration features. It is actively being enhanced with new features to avoid detection.
Read moreRelated
AppleJeus is a sophisticated macOS trojan attributed to North Korea's state-sponsored APT Lazarus Group. This malware has been used for years to infiltrate cryptocurrency exchanges and financial service companies by masquerading as legitimate applications. AppleJeus enables unauthorized access, facilitates data exfiltration, and can lead to significant financial losses.
Cuckoo is an info stealer that typically masquerades as macOS applications such as Homebrew and Google Chrome. Discovered by Kandji in 2024, it has been known to steal passwords, as well as recording audio and video from an infected system.
PasivRobber is a sophisticated macOS surveillance suite discovered in March 2025. It targets applications popular among Chinese users, such as WeChat and QQ, and can exfiltrate sensitive data from various sources, including web browsers, email clients, and system files. The malware employs deceptive naming schemes and a modular architecture, indicating a deep understanding of macOS internals.
Manage and secure your Apple devices at scale.
