Friday, May 16, 2025
HomeAppleNew Ransomware "EvilQuest" Attacking macOS Users to Encrypts Users Files

New Ransomware “EvilQuest” Attacking macOS Users to Encrypts Users Files

Published on

SIEM as a Service

Follow Us on Google News

A new Mac ransomware strain observed targeting macOS Users through pirated versions of popular mac software shared on popular torrent sites.

Users noted the malicious version of popular software that available for download on a Russian forum that dedicated to sharing piracy software links.

Mac ransomware

The Mac ransomware was first spotted by malware researcher Dinesh Devadoss, that piece of ransomware distributed as a Google software update program based on users commands the malware to be available since 22 June 2020.

- Advertisement - Google News

The ransomware has zero detections with virus total, all the AV engines marked the application as safe.

Other researchers Thomas Reed, Director of Mac & Mobile at Malwarebytes, and Phil Stokes, macOS security researcher at SentinelOne also investigated the EvilQuest ransomware strain.

Reed who analyzed the malicious version of Little Snitch installer stated that “is attractively and professionally packaged, with a well-made custom installer that is properly code signed.”

The installation process, icons look like the legitimate Little Snitch installer and uninstaller apps, it also runs a shell script once installation completed.

The malware installation process is not much sophisticated, so there below the success rate with the ransomware strain.

Once the malware infection process begins it starts spreading itself around the hard drive and it also set up persistence.

Reed observed, “that files are executed as a part of GoogleSoftwareUpdate which are most commonly found installed due to having Google Chrome installed on the machine.”

Unlike other malware it is not smart enough to encrypt files alone, it also encrypts several settings files and other data files, such as the keychain files.

After infection, if a user tries to log in, it shows the following error with the keychain.

Once the encryption process completed it shows the following ransom notice.

Following are the malware capabilities

  • ransoms your files
  • pops a reverse shell
  • steals your keystrokes
  • executes in-memory payloads

The malware also includes some anti-analysis techniques, if it executed inside the virtual machine, it won’t show it’s full capabilities.

The malware armed with several capabilities allows attackers to gain full control over an infected host.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Beware of New Mac Malware Spreading via Poisoned Google Search Results

Blue Mockingbird Hacker Group Attack Windows Machines at Multiple Organizations to Deploy cryptocurrency-mining Malware

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cybercriminal Andrei Tarasov Escapes US Extradition, Returns to Russia

Andrei Vladimirovich Tarasov, a 33-year-old Russian cybercrime figure known online as "Aels," has returned...

FBI Alerts Public to Malicious Campaign Impersonating US Government Officials

Federal Bureau of Investigation has issued a warning about an ongoing malicious messaging campaign...

Frigidstealer Malware Targets macOS Users to Harvest Login Credentials

An macOS users, a new information-stealing malware dubbed FrigidStealer has emerged as a formidable...

APT Group 123 Targets Windows Systems in Ongoing Malicious Payload Campaign

Group123, a North Korean state-sponsored Advanced Persistent Threat (APT) group also known by aliases...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

CISA Issues Alert on Actively Exploited Apple 0-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority warning regarding two...

2 Apple Zero-Day Vulnerabilities Actively Exploited in “Extremely” Sophisticated iOS Attacks

Apple has urgently rolled out iOS 18.4.1 and iPadOS 18.4.1 to patch two zero-day...