Cyber Security News

Enhanced XCSSET Malware Targets macOS Users with Advanced Obfuscation

Microsoft Threat Intelligence has recently uncovered a new variant of the XCSSET malware, a sophisticated modular macOS malware known for infecting Xcode projects.

This latest iteration features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies, making it more challenging to detect and remove.

The malware primarily targets software developers who share Xcode project files, leveraging the collaborative nature of development environments to spread.

Advanced Techniques and Infection Chain

The new XCSSET variant employs a four-stage infection chain, starting with an obfuscated shell payload that is triggered when an infected Xcode project is built.

XCSSET MalwareXCSSET Malware
Obfuscated first-stage shell payload

This payload communicates with a command-and-control (C2) server to download additional payloads, which are executed using shell scripts.

The malware uses both hexdump and Base64 encoding to obfuscate its payloads, making static analysis difficult.

It also checks for the version of XProtect, macOS’s built-in antivirus, to evade detection.

The malware’s persistence techniques include modifying shell configuration files and creating fake Launchpad applications to ensure its payload launches at specific events, such as new shell sessions or when a user opens Launchpad.

The fourth stage of the infection involves an AppleScript payload that gathers system information, including macOS version, Safari version, and firewall status, which it sends to the C2 server.

This payload also overrides the default log function to send logs to the C2 server.

The malware includes sub-modules for stealing system information, listing browser extensions, downloading additional modules, and stealing digital wallet data from browsers.

Browser’s path list

One of the sub-modules, cozfi_xhh, steals notes from the Notes application using a JavaScript payload.

Impact

According to the Report, While the new XCSSET variant is currently observed in limited attacks, its advanced capabilities pose a significant threat to macOS users, particularly developers.

Microsoft has shared these findings with Apple, emphasizing the importance of collaboration in mitigating threats.

To protect against this malware, users should be cautious when opening or sharing Xcode projects, ensure their systems are updated with the latest security patches, and use robust antivirus software.

Additionally, developers should implement secure coding practices and regularly scan their projects for malware.

As the threat landscape evolves, staying informed about emerging threats like XCSSET is crucial for maintaining cybersecurity.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

3 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

3 days ago