Microsoft uncovers sleuthy new XCSSET MacOS malware campaign

News
By published

XCSSET is back with better obfuscation, better persistence, and better infection techniques.

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)
  • Microsoft warns of new version of the XCSSET infostealer
  • It comes with new obfuscation, infection, and persistence techniques
  • It was seen in "limited" attacks in the wild

A new variant of a known macOS malware is making rounds on the internet, targeting users through infected Xcode projects.

Researchers from the Microsoft Threat Intelligence team said that the modular malware is seen in “limited attacks” at this time, but suggested that people should still keep their guard up.

According to the researchers, this is the first upgrade to XCSSET in three years. It now has enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.

Scrutinize Xcode projects

“These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files,” Microsoft said.

Microsoft first reported of this new XCSSET strain in mid-February this year, and has now come forward with an in-depth analysis.

Xcode is Apple's official integrated development environment (IDE) for creating apps on macOS, iOS, iPadOS, watchOS, and tvOS. It includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps.

In essence, XCSSET is an infostealer. It is capable of pulling system information and files, stealing digital wallet data, and grabbing information from the official Notes app.

For obfuscation, XCSSET now uses a “significantly more randomized approach” for generating payloads to infect Xcode projects. When it comes to updated persistence mechanisms, the new variant uses two techniques: “zshrc”, and “dock”. Finally, for infection, there are now new methods for where the payload is placed in a target Xcode project.

“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects,” the company concluded. “They should also only install apps from trusted sources, such as a software platform’s official app store.”

The in-depth analysis of the malware and its modus operandi can be found on here.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Read more
Ransomware
Microsoft spies a new and worrying macOS malware strain
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Image of laptop infected with malware threat
This devious new macOS malware disguises itself as Chrome, Zoom installers
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch
More about security
A graphic showing someone on a tablet working through a supply chain.

Security issue in open source software leaves businesses concerned for systems
person at a computer

Infamous ransomware hackers reveal new tool to brute-force VPNs
DJI Osmo Action 5 Pro

Say goodbye to GoPro and get the highly-rated DJI Osmo Action 5 Pro for its lowest-ever price
See more latest
Most Popular
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Samsung HW-Q990D soundbar, subwoofer and rear speakers
Samsung's best Dolby Atmos soundbar is being bricked by a new update – here's what we know so far
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Apple Watch Ultra 2 settings
I've been using an Apple Watch for 10 years – here are three common mistakes even I've made
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
Samsung Galaxy S24 hands on handheld back straight white
The Samsung Galaxy S24 is getting one of the S25’s biggest video upgrades with One UI 7 – here’s why Log Video matters