Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0595: ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[1] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[2][3]

EnterpriseS0595MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

ThiefQuest matters because it combines several high-consequence macOS concerns in one software entry: data theft, keylogging, persistence, stealth, command-and-control, tool transfer, and apparent ransomware behavior that may function more like destructive wiping because the encryption key is not sent to the attacker. For leaders, the practical issue is not only “Mac malware exists,” but whether macOS endpoints are included in resilience planning, credential-protection assumptions, backup recovery tests, and SOC visibility.

Executive priority

Prioritize this as a macOS endpoint resilience and data-protection scenario. The supplied ATT&CK relationships connect ThiefQuest to credential collection, exfiltration over C2, persistence through Launch Agents/Daemons, stealth, discovery of processes and security software, and data encryption for impact. Executives should ask whether macOS systems are covered by endpoint logging, network monitoring, backup restore testing, software provenance controls, and incident response playbooks with the same rigor as Windows systems. Because the official description notes distribution through trojanized pirated macOS software, software acquisition and user behavior controls are also relevant to risk reduction.

Technical view

For SOC, detection engineering, and IR teams, validate macOS coverage across the related behaviors rather than relying on a single malware signature. ATT&CK provides no official detection text for this object, so coverage should be mapped to the relationships: suspicious Launch Agent or Launch Daemon creation/modification; AppleScript or osascript-style execution; process and security software discovery; hidden files/directories; legitimate-looking names or locations; web-protocol C2; ingress tool transfer; exfiltration over C2; keylogging indicators; native API abuse; reflective code loading; debugger or time-based evasion; host software binary compromise; and file encryption/destructive-impact patterns. Treat ransom-note style activity cautiously: the official description states ThiefQuest may be better understood as wiper malware because the dynamically generated encryption key is not sent to the attacker.

Likely telemetry

  • macOS endpoint process execution telemetry, including parent/child relationships and command-line arguments where available
  • File creation, modification, and permission-change events for Launch Agents, Launch Daemons, hidden files, and application binaries
  • Endpoint security alerts or behavioral events related to keylogging, suspicious AppleScript execution, native API use, memory-only or reflective loading behavior, and debugger/time evasion
  • Network telemetry for outbound HTTP/S or other web-protocol communications from macOS endpoints
  • Evidence of outbound data transfer over suspected C2 channels

Detection direction

  • Build behavior-based detections around the ATT&CK relationships rather than depending on the ThiefQuest name alone, especially because the object has no official detection guidance.
  • Tune macOS persistence detections for new or modified plist files in Launch Agent and Launch Daemon locations, while accounting for legitimate software updates and administrator activity.
  • Correlate suspicious software installation or execution with follow-on discovery, hidden-file creation, C2 over web protocols, tool transfer, and exfiltration indicators.
  • Validate that macOS telemetry includes AppleScript execution and process discovery visibility; these are common blind spots in environments that focus endpoint monitoring on Windows.
  • Review alerts involving apparent ransomware encryption alongside data theft and wiper assumptions; the supplied description warns that the encryption behavior may not support recovery by paying a ransom.

Mitigation priorities

  • Reduce exposure to trojanized software by enforcing trusted software sources, user education, and application control processes where appropriate.
  • Ensure macOS endpoints are included in EDR, logging, network monitoring, and incident response coverage, not treated as low-priority exceptions.
  • Harden and monitor macOS persistence locations, especially Launch Agents and Launch Daemons, with change-control expectations for legitimate software.
  • Maintain tested, offline or otherwise resilient backups for macOS-hosted business data because the object is associated with data encryption for impact and may behave as a wiper.
  • Strengthen credential protections and post-incident credential rotation workflows because the related techniques include keylogging and exfiltration over C2.
Analyst notes and limits

The most decision-relevant aspect is the combination of macOS platform focus, data theft, credential collection, persistence, stealth, C2, and destructive-impact behavior. The ATT&CK object’s own tactics are not specified, but the relationship context spans execution, persistence, privilege escalation, defense impairment, credential access, discovery, collection, command and control, exfiltration, impact, and stealth. The external references identify names including EvilQuest, MacRansom.K, and ThiefQuest, and the official description states it was first seen in 2020 distributed via trojanized pirated macOS software on Russian forums sharing torrent links.

ATT&CK provides no official detection text for ThiefQuest in the supplied object. This take uses only the official description, external references, and listed technique relationships. Local conclusions require environment-specific evidence such as macOS fleet composition, endpoint telemetry depth, software installation controls, backup coverage, and observed network behavior. The object is macOS-scoped, while some related techniques list broader or non-macOS platforms; platform-specific implementation should be validated locally.

Official MITRE ATT&CK definition

ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[1] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

18 rows
Domain ID Name Relationship / procedure
Enterprise T1486 Data Encrypted for Impact

ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.Citationwardle evilquest partii
Enterprise T1071.001 Web Protocols Sub-technique

ThiefQuest uploads files via unencrypted HTTP. Citationwardle evilquest partiiCitationreed thiefquest ransomware analysis
Enterprise T1564.001 Hidden Files and Directories Sub-technique

ThiefQuest hides a copy of itself in the user's ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.Citationwardle evilquest parti
Enterprise T1056.001 Keylogging Sub-technique

ThiefQuest uses the CGEventTap functions to perform keylogging.CitationTrendmicro Evolving ThiefQuest 2020
Enterprise T1685 Disable or Modify Tools

ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.Citationwardle evilquest parti
Enterprise T1554 Compromise Host Software Binary

ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. Citationwardle evilquest partiiCitationreed thiefquest ransomware analysis
Enterprise T1543.004 Launch Daemon Sub-technique

When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. Citationwardle evilquest parti
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.Citationwardle evilquest partiiCitationreed thiefquest ransomware analysis
Enterprise T1041 Exfiltration Over C2 Channel

ThiefQuest exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.Citationwardle evilquest partiiCitationreed thiefquest ransomware analysis
Enterprise T1059.002 AppleScript Sub-technique

ThiefQuest uses AppleScript's osascript -e command to launch ThiefQuest's persistence via Launch Agent and Launch Daemon. Citationwardle evilquest parti
Enterprise T1543.001 Launch Agent Sub-technique

ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.Citationwardle evilquest parti
Enterprise T1057 Process Discovery

ThiefQuest obtains a list of running processes using the function kill_unwanted.Citationwardle evilquest parti
Enterprise T1620 Reflective Code Loading

ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.Citationwardle evilquest partii
Enterprise T1518.001 Security Software Discovery Sub-technique

ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs.Citationwardle evilquest parti
Enterprise T1106 Native API

ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.Citationwardle evilquest partii
Enterprise T1497.003 Time Based Checks Sub-technique

ThiefQuest invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.Citationwardle evilquest parti
Enterprise T1622 Debugger Evasion

ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.Citationwardle evilquest partii
Enterprise T1105 Ingress Tool Transfer

ThiefQuest can download and execute payloads in-memory or from disk.Citationwardle evilquest partii
Relationship explorer

All related ATT&CK context

uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1564.001: Hidden Files and Directories Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1554: Compromise Host Software Binary Enterprise uses · Technique T1543.004: Launch Daemon Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1059.002: AppleScript Enterprise uses · Technique T1543.001: Launch Agent Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1620: Reflective Code Loading Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1497.003: Time Based Checks Enterprise uses · Technique T1622: Debugger Evasion Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
485f14dbef710b85...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 485f14dbef71…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Reed thiefquest fake ransom

    Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.

    Open source URL
  2. [2]
    wardle evilquest partii

    Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.

    Open source URL
  3. [3]
    reed thiefquest ransomware analysis

    Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.

    Open source URL
  4. [4]
    EvilQuest

    (Citation: Reed thiefquest fake ransom)

  5. [5]
    MacRansom.K

    (Citation: SentinelOne EvilQuest Ransomware Spyware 2020)

  6. [6]
    SentinelOne EvilQuest Ransomware Spyware 2020

    Phil Stokes. (2020, July 8). “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021.

    Open source URL
  7. [7]
    ThiefQuest

    (Citation: Reed thiefquest fake ransom)

  8. [8]
    mitre-attack S0595
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use