About Us
Contact About Us Input Output ADA Compliance Statement Privacy Policy Satisfaction Guarantee Terms & Conditions
Solutions
Input Output Solutions WISP - Written Information Security Program
Blog Podcast
BOOK A CALL

Cybersecurity News: New XCSSET Variant Targets macOS Users

cybersecurity news Mar 04, 2025
Cybersecurity News: New XCSSET Variant Targets macOS Users

In a recent development, cybersecurity experts have identified a new variant of the XCSSET malware targeting macOS users. This sophisticated malware, first widely discovered in August 2020, has evolved to employ advanced evasion techniques and persistence mechanisms, posing significant challenges to security defenses.

 

Evolution of XCSSET Malware

Initially, XCSSET gained notoriety by targeting Xcode developers, embedding malicious code into Xcode projects. This approach led to a supply-chain-like attack, as developers unknowingly distributed infected applications. Over time, the malware expanded its capabilities, exploiting zero-day vulnerabilities to steal sensitive information from applications like Safari, Notes, Skype, Telegram, and WeChat. Notably, in 2021, XCSSET was re-engineered to support Apple's M1 chips, highlighting its adaptability to new hardware architectures.

 

Advanced Evasion and Persistence Techniques

The latest variant of XCSSET introduces sophisticated evasion tactics to bypass security measures. It employs obfuscation methods to conceal its code and uses updated persistence mechanisms to maintain its foothold on infected systems. These enhancements make detection and removal more challenging, underscoring the malware's continuous evolution.

To maintain its foothold on infected systems, XCSSET employs innovative persistence methods:​

  1. zshrc Method: The malware creates a file named ~/.zshrc_aliases containing its payload and appends a command to the ~/.zshrc file. This setup ensures that the malicious code executes every time a new shell session is initiated. ​

  2. Dock Method: XCSSET downloads a signed dockutil tool from its command-and-control server to manipulate dock items. It then creates a fake Launchpad application and replaces the legitimate Launchpad's path in the dock with this counterfeit version. Consequently, each time the Launchpad is launched from the dock, both the genuine application and the malicious payload are executed.

Malware

 

Infection Vectors and Targets

XCSSET primarily spreads through infected Xcode projects. Developers who unknowingly incorporate malicious code into their projects can inadvertently propagate the malware to end-users. Once installed, XCSSET can steal login information from various applications, including web browsers and messaging apps, and can inject malicious JavaScript code into websites. This broad range of capabilities allows attackers to harvest sensitive data and potentially deploy ransomware.

 

New Infection Strategies

The malware has also adopted novel methods for embedding its payload into Xcode projects:​

  • TARGET, RULE, or FORCED_STRATEGY: XCSSET selects one of these options to place its payload within the target Xcode project.​

  • TARGET_DEVICE_FAMILY Key: Alternatively, it inserts the payload inside the TARGET_DEVICE_FAMILY key under build settings, scheduling its execution at a later phase. ​

 

Implications for Developers and Users

The resurgence of XCSSET poses significant risks:​

  • Supply Chain Compromise: By infecting Xcode projects, the malware can propagate through the software supply chain, potentially affecting numerous downstream vendors and users.​

  • Data Theft: XCSSET is capable of stealing sensitive information, including data from digital wallets and the Notes app, as well as exfiltrating system information and files.

 

Mitigation Strategies

Mitigation

To protect against XCSSET and similar threats, macOS users, researchers and developers should:

  • Regularly Update Software: Ensure that macOS and all applications are up to date to benefit from the latest security patches.

  • Verify Xcode Projects: Developers should scrutinize their projects for unexpected code or files and avoid using untrusted third-party code.

  • Use Security Solutions: Employ reputable security software that can detect and block malicious activities, including those employing advanced evasion techniques.

  • Exercise Caution with Downloads: Avoid downloading applications or code from unverified sources, as they may harbor malware.

The emergence of this new XCSSET variant serves as a reminder of the persistent and evolving nature of cyber threats. Vigilance and proactive security measures are essential to safeguard personal and professional data from such sophisticated attacks by hackers.

 

Conclusion

The resurgence of XCSSET malware underscores the evolving threats faced by macOS users and developers. With enhanced obfuscation techniques, advanced persistence mechanisms, and new infection strategies, this malware remains a serious risk, particularly for those using Xcode. To stay protected, users must adopt proactive security measures such as inspecting Xcode projects, downloading software from trusted sources, and keeping up with the latest security updates. By staying vigilant and implementing these best practices, individuals and organizations can reduce the risk of infection and safeguard their macOS environments from compromise.

STAY INFORMED

Subscribe now to receive the latest expert insights on cybersecurity, compliance, and business management delivered straight to your inbox.

We hate SPAM. We will never sell your information, for any reason.

CATEGORIES

iO Circle Logo

INPUT OUTPUT

Information Security Policies, Programs, & Audits Made Easy

Input Output integrates cybersecurity and compliance seamlessly with business management and development. With expertise in security, compliance, and risk management, we empower businesses to enhance productivity and profitability. Our blog shares insights drawn from years of experience, helping companies navigate complex security challenges while fostering growth and operational excellence.