ThiefQuest malware

ThiefQuest malware mainly targets the macOS devices and was detected earlier in July of this year in the pirated versions of macOS apps that are shared on popular torrent downloading portals.

According to the security experts, this new variant is quite sophisticated when compared to the previous version of this malware, as it comprises more compelling features and capabilities. 


ThiefQuest malware is one of the highly capable malware that has been detected until now, and the experts prefer to keep it in confidential monitoring.

New Functions of ThiefQuest 

As compared to the earlier version of the ThiefQuest malware, recently, the security experts have identified some enhanced variants of ThiefQuest with an extra layer of powerful and improved skills. 

But these enhanced skills are not determined by their main code, as during the investigation, the experts found, hackers have implemented a brand new system for computing and calling the new functions. Even to get the updated settings config from the C&C server, the latest variants offer C&C update, one of the improved functions of ThiefQuest.

Here’s the list of all the new function that has been implemented by the threat actors:-

  • _react_updatesettings
  • attach_payload
  • compress_bundle
  • compress_bundle
  • decompress_bundle
  • decompress_bundle
  • ei_fcnc_pack_challenge
  • ei_fcnc_unpack_challenge
  • ei_getip
  • ei_ptas
  • ei_rfind_cnc
  • eisl_add_function
  • eisl_apply_function
  • eisl_debugging_um
  • eisl_get_function
  • eisl_lazysleep
  • eisl_ndebugging
  • eisl_noop
  • eisl_ntrace
  • eisl_ntrace_sc
  • eisl_ntrack_chk
  • eisl_xtrace
  • eisl_zzufff_init
  • extract_payload
  • fb_uniconf_* (other related functions)
  • fb_uniconf_get_entry
  • fb_uniconf_init
  • fb_uniconf_load
  • fb_uniconf_save
  • fb_uniconf_set_entry
  • run_audio
  • run_image
  • run_payload

Key Facts of ThiefQuest

After analyzing the whole matter, security experts have concluded some critical facts of ThiefQuest, and here they are mentioned below:-

  • This new malware came with more robust capabilities and functions, and among them, this malware can see if the malware is operating on a virtual machine or not, and if it is running in a virtual machine, then it will terminate the security tool to evade detection.
  • ThiefQuest can install a keylogger and starts a reverse shell on the infected machine.
  • ThiefQuest also checks more regularly used security tools and antimalware solutions like Kaspersky, Norton, etc.

Security Tools Eliminated

ThiefQuest eliminated some security tools, they keep an eye on the operation, and if they notice any security tools, then they remove them. The list that has been mentioned below has the security tools that have been eliminated by the ThiefQuest till now:-

  • Little Snitch
  • Bitdefender
  • Bullguard
  • DrWeb
  • Avast
  • Kaspersky
  • KnockKnock
  • McAfee
  • Norton
  • ReiKey

To make the script more difficult, or we can say that to make it harder for the experts to read it, the threat actors have used the nested Lambda function. If we compare ThiefQuest malware with other malware, then it is one of the most potent malware which comes with high-yielding features and capabilities. 

ThiefQuest proved that mac is not secure from robust malware, and the threat actors always aim software that is being used by hundreds of users, and mac is one of them. According to the experts, ThiefQuest may have various plans to improve its security and might be preparing to make it a more wicked threat.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.