Microsoft spies a new and worrying macOS malware strain

News
By published

XCSSET infostealer was updated after more than two years

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)
  • Microsoft warns of new version of the XCSSET infostealer
  • It comes with new obfuscation, infection, and persistence techniques
  • Experts warn all users to be careful

Microsoft says it has spotted a new strain of an old macOS malware variant, one which comes with better obfuscation techniques, more persistence, and new infection mechanisms.

In a short X post, Microsoft detailed discovering a new version of XCSSET, which it describes as a “sophisticated modular macOS malware” that targets users through infected Xcode projects.

Xcode is Apple's official integrated development environment (IDE) for creating apps on macOS, iOS, iPadOS, watchOS, and tvOS. It includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps.

Limited attacks

In essence, XCSSET is an infostealer. It is capable of pulling system information and files, stealing digital wallet data, and grabbing information from the official Notes app. Its latest iteration comes after more than two years of being dormant, and appears to come with significant improvements.

To better hide itself, XCSSET now uses a “significantly more randomized” approach for generating payloads to infect Xcode projects, Microsoft explained. For persistence, XCSSET now uses two techniques, called “zshrc” and “dock”. In the first one, the malware creates a file named ~/.zshrc_aliases, which contains the payload. It then appends a command in the ~/.zshrc file to make sure the created file is launched every time a new shell session is initiated.

In the second one, the malware downloads a signed dockutil tool from a command-and-control server to manage the dock items. It then creates a fake Launchpad app and replaces the legitimate one’s entry in the doc. That way, when the victim runs the Launchpad from the dock, both the legitimate app and the malware are executed.

As for infection, XCSSET now comes with new methods for where the payload is placed in the Xcode project.

Microsoft said that at this time, it is only seeing the new variant in “limited attacks”, but wanted to sound the alarm on time, so that users and organizations can protect themselves.

“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects,” the company concluded. “They should also only install apps from trusted sources, such as a software platform’s official app store.”

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Read more
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Image of laptop infected with malware threat
This devious new macOS malware disguises itself as Chrome, Zoom installers
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Google Pixel 9
The Google Pixel 10 just showed up in Android code – and may come with a useful speed boost
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
A Lego Pikachu tail next to a Pebble OS watch and a screenshot of Assassin's Creed Shadow
ICYMI: the week's 7 biggest tech stories from LG's excellent new OLED TV to our Assassin's Creed Shadow review
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Logitech Pro Racing Wheel for PlayStation

Whether on your desk or in a racing rig, the Logitech G Pro Racing Wheel will satisfy your craving for realistic racing
See more latest
Most Popular
A bloodied Mark staring at an off-screen Helly as Gemma screams at him from behind an exit door in Severance season 2 episode 10
Severance season 3: everything we know so far about the wildly popular Apple TV+ show's next chapter
Nvidia DGX Spark AI supercomputer
Project Digits is now DGX Spark: Nvidia raises its price by 33% as HPE, Dell jump on Petaflop mini AI bandwagon
ChatGPT workout
I use ChatGPT to hit my fitness and exercise goals – here are 7 prompts to help you get in shape using AI
Google Pixel 9
The Google Pixel 10 just showed up in Android code – and may come with a useful speed boost
The AmpereOne CPU
Softbank set to buy Ampere Computing for $6.5 billion and could integrate it with Arm and Graphcore
A Lego Pikachu tail next to a Pebble OS watch and a screenshot of Assassin's Creed Shadow
ICYMI: the week's 7 biggest tech stories from LG's excellent new OLED TV to our Assassin's Creed Shadow review
A SCUBA Diver Checks An Undersea Cable
Startup wants to mitigate risk of state-actor underwater fibre optic cable sabotage by using a decades-old technique
Nvidia Quantum-X and Spectrum-X Silicon Photonics
Nvidia is planning post-copper 1.6Tbps network tech to connect millions of GPUs as it unveils photonics networking gear at GTC 2025
Uperfect 23.8-inch dual foldable display
This is the largest dual-screen monitor I've ever seen, and at almost 24 inches each, it's bigger than a 43-inch super wide display
Apple Mac Studio
Apple Mac Studio M3 Ultra workstation can run Deepseek R1 671B AI model entirely in memory using less than 200W, reviewer finds