Pure python post-exploitation RAT for macOS & OSX: EvilOSX

ID N0WHERE:172792
Type n0where
Reporter N0where
Modified 2018-06-18T20:34:11


A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.


  • Emulate a simple terminal instance
  • Undetected by anti-virus (OpenSSL AES-256 encrypted payloads, HTTPS communication)
  • Multi-threaded
  • No client dependencies (pure python)
  • Persistent
  • Simple extendable module system
  • Retrieve Chrome passwords
  • Retrieve iCloud tokens and contacts
  • Phish for iCloud passwords via iTunes
  • Download and upload files
  • Take a picture using the webcam
  • Record microphone input
  • iTunes iOS backup enumeration
  • Retrieve or monitor the clipboard
  • Retrieve browser history (Chrome and Safari)
  • Attempt to get root via local privilege escalation
  • Auto installer, simply run EvilOSX on your target and the rest is handled automatically

How To Use

The server side requires python3 to run (probably already installed on your system).

# Clone or download this repository
$ git clone https://github.com/Marten4n6/EvilOSX

# Install dependencies required by the server
$ sudo pip3 install -r requirements.txt

# Go into the repository
$ cd EvilOSX

# Build a launcher to infect your target
$ python builder.py

# Start listening for connections
$ python start.py

# Lastly, run the built launcher on your target

Because payloads are created unique to the target system (automatically by the server), the server must be running when any client connects for the first time.

Pure python post-exploitation RAT for macOS & OSX: EvilOSX Download