Introduction
A new variant of the macOS malware XCSSET has emerged [3], posing a significant threat to Mac users, especially software developers [1]. This sophisticated malware [3] [4] [6], first identified in 2020 [7], has been updated with advanced techniques to bypass Apple’s security measures, marking its first major update since 2022. The malware primarily spreads through compromised Xcode projects, making it a critical concern for those in the software development community.
Description
A new variant of the macOS malware XCSSET has been detected [3], as reported by Microsoft Threat Intelligence on February 17 [3]. This sophisticated modular malware [3] [4] [6], first identified in 2020 [7], primarily targets Mac users [1], particularly software developers [1], by distributing itself through compromised Xcode projects [1]. This marks the first significant update since 2022 [4]. The latest iteration features advanced obfuscation techniques [7], improved persistence mechanisms [1] [2] [4] [5] [6] [7], and new infection vectors that circumvent Apple’s security measures [5]. It employs multi-layered encoding strategies [2] [5], including randomized encoding algorithms [2] [5], to evade static analysis and disrupt signature-based detection, complicating reverse-engineering efforts while retaining its previous capabilities, such as information theft and backdoor injection [1]. The malware can take unauthorized screenshots, steal browser cookies [1], and extract data from applications like Google Chrome [1], Telegram [1] [4], WeChat [1], Evernote [1], and the Notes app [1] [4] [7].
For persistence [2] [4] [5] [6], XCSSET utilizes two primary methods: Zshrc Injection, which appends malicious commands to the user’s ~/.zshrc file to launch the payload with each new terminal session, and Dock API Manipulation [2]. The latter involves downloading a signed dockutil utility from a command-and-control server to manage dock items [4], creating a counterfeit Launchpad application that replaces the legitimate Launchpad’s path in the dock [4]. This ensures that both legitimate and malicious payloads are executed whenever the Launchpad is accessed [4].
The infection strategy has evolved [6], offering multiple options for payload placement in Xcode projects [6], including TARGET Injection, which modifies build settings to trigger malicious scripts during compilation [5], RULE Exploitation [2] [5], which injects build rules that deploy the payload before binaries are linked [5], and FORCED_STRATEGY methods that overwrite project files to introduce hidden malware [5]. These payloads can be disseminated through platforms like GitHub or CocoaPods [5], leading to potential compromises in downstream applications [5]. Although the new variant is currently seen in limited attacks [3], the advisory emphasizes the importance of caution when working with Xcode projects from external sources.
Users and organizations are advised to inspect and verify any Xcode projects downloaded or cloned from repositories [7], enforce code-signing verification for Xcode dependencies [2] [5], and monitor for unauthorized SSH key generation [2] [5]. Detection of XCSSET activity should focus on anomalous AppleScript compilation events and unexpected network traffic to newly registered command-and-control domains [5]. Installing applications only from trusted sources and utilizing Microsoft Defender for Endpoint on Mac, which can detect this new variant by recognizing behavioral patterns associated with its updated modules, is also recommended [6]. Enabling tamper protection in Defender for Endpoint is crucial to block unauthorized process injection attempts targeting Xcode or Safari instances [2]. The ongoing evolution of XCSSET highlights the necessity for advanced runtime protections in addition to static analysis tools to secure macOS environments [5].
Conclusion
The emergence of the new XCSSET variant underscores the evolving threat landscape for macOS users, particularly those involved in software development. Its advanced obfuscation and persistence techniques highlight the need for robust security measures. Users and organizations must remain vigilant, ensuring that Xcode projects are thoroughly vetted and that security tools like Microsoft Defender for Endpoint are employed to detect and mitigate potential threats. As XCSSET continues to evolve, the importance of advanced runtime protections and proactive security strategies becomes increasingly critical to safeguarding macOS environments.
References
[1] https://www.helpnetsecurity.com/2025/02/17/the-xcsset-info-stealing-malware-is-back-targeting-macos-users-and-devs/
[2] https://cybersecuritynews.com/new-xcsset-attacking-macos-users/
[3] https://www.infosecurity-magazine.com/news/new-xcsset-macos-malware-variant/
[4] https://tech-wire.in/technology/cyber-security/microsoft-uncovers-new-xcsset-macos-malware-variant-with-advanced-obfuscation-tactics/
[5] https://cybermaterial.com/new-xcsset-malware-targets-macos-developers/
[6] https://www.thetechoutlook.com/news/security/microsoft-discovers-new-xcsset-macos-malware-variant-with-enhanced-obfuscation-and-persistence-mechanisms/
[7] https://securityonline.info/xcsset-malware-returns-with-enhanced-capabilities-to-target-macos-users/
