rule malware_macos_marten4n6_evilosx { meta: description = "EvilOSX is a pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX." reference = "https://github.com/Marten4n6/EvilOSX" author = "@mimeframe" strings: // EvilOSX.py commands $a1 = "icloud_phish_stop" fullword wide ascii $a2 = "icloud_contacts" fullword wide ascii $a3 = "itunes_backups" fullword wide ascii $a4 = "chrome_passwords" fullword wide ascii $a5 = "Starting EvilOSX..." wide ascii condition: 4 of ($a*) }