Sunday, May 25, 2025
Homecyber securityEnhanced XCSSET Malware Targets macOS Users with Advanced Obfuscation

Enhanced XCSSET Malware Targets macOS Users with Advanced Obfuscation

Published on

SIEM as a Service

Follow Us on Google News

Microsoft Threat Intelligence has recently uncovered a new variant of the XCSSET malware, a sophisticated modular macOS malware known for infecting Xcode projects.

This latest iteration features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies, making it more challenging to detect and remove.

The malware primarily targets software developers who share Xcode project files, leveraging the collaborative nature of development environments to spread.

- Advertisement - Google News

Advanced Techniques and Infection Chain

The new XCSSET variant employs a four-stage infection chain, starting with an obfuscated shell payload that is triggered when an infected Xcode project is built.

XCSSET Malware
Obfuscated first-stage shell payload

This payload communicates with a command-and-control (C2) server to download additional payloads, which are executed using shell scripts.

The malware uses both hexdump and Base64 encoding to obfuscate its payloads, making static analysis difficult.

It also checks for the version of XProtect, macOS’s built-in antivirus, to evade detection.

The malware’s persistence techniques include modifying shell configuration files and creating fake Launchpad applications to ensure its payload launches at specific events, such as new shell sessions or when a user opens Launchpad.

The fourth stage of the infection involves an AppleScript payload that gathers system information, including macOS version, Safari version, and firewall status, which it sends to the C2 server.

This payload also overrides the default log function to send logs to the C2 server.

The malware includes sub-modules for stealing system information, listing browser extensions, downloading additional modules, and stealing digital wallet data from browsers.

XCSSET Malware
Browser’s path list

One of the sub-modules, cozfi_xhh, steals notes from the Notes application using a JavaScript payload.

Impact

According to the Report, While the new XCSSET variant is currently observed in limited attacks, its advanced capabilities pose a significant threat to macOS users, particularly developers.

Microsoft has shared these findings with Apple, emphasizing the importance of collaboration in mitigating threats.

To protect against this malware, users should be cautious when opening or sharing Xcode projects, ensure their systems are updated with the latest security patches, and use robust antivirus software.

Additionally, developers should implement secure coding practices and regularly scan their projects for malware.

As the threat landscape evolves, staying informed about emerging threats like XCSSET is crucial for maintaining cybersecurity.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...