Introduction

Malware often lurks in suspicious downloads, phishing emails, or shady software, but what if the danger was hiding in the very tools used to build trusted applications? XCSSET, a sophisticated macOS malware first identified in 2020, does exactly that. By embedding itself within the Xcode projects, which are structured workspaces used to develop macOS and iOS applications, XCSSET spreads unknowingly through developer environments, exploiting zero-day vulnerabilities to infiltrate macOS systems.

Over time, XCSSET has continuously adapted, incorporating advanced techniques to improve its ability to remain undetected and maintain persistence within macOS systems.  

‍XCSSET in 2020: The Emergence

A concerning and unusual form of infection was discovered in 2020, linked to Xcode developer projects. An investigation revealed that a developer's Xcode project had unknowingly hosted the source code for malware, leading to a series of malicious payloads. The most alarming discovery involved two zero-day exploits: one targeting a flaw in Data Vaults to steal Safari cookies, and another exploiting the developer version of Safari itself.  

This was a particularly unique threat. The malicious code was injected directly into local Xcode projects, meaning that once these projects were built, the harmful code was executed. This presented a serious risk to developers, especially when infected projects were uploaded to GitHub, triggering a supply-chain attack. Users who relied on these repositories as dependencies could have inadvertently incorporated the malware into their own projects. Evidence of this malware had also been found on VirusTotal, showing its broader presence in the wild.  The malware was identified as TrojanSpy.MacOS.XCSSET.A, with its command and control (C&C) related files identified as Backdoor.MacOS.XCSSET.A.  XCSSET spread primarily through maliciously modified Xcode projects and applications generated from those projects. The exact initial entry point remained unclear, but the systems involved were predominantly used by developers. These Xcode projects were altered so that when built, they executed the malicious code, ultimately deploying the XCSSET malware onto the infected system. Users affected by XCSSET were at significant risk of having their credentials, sensitive accounts, and vital data compromised.

Once XCSSET took control of a system, it performed a range of malicious activities:

• Stealing Safari cookies: It exploited a vulnerability to access and extract Safari cookies, bypassing security restrictions.
• Injecting JavaScript backdoors: By utilizing a developer version of Safari, it enabled Universal Cross-Site Scripting (UXSS) attacks, allowing JavaScript backdoors to be injected into websites.
• Harvesting Sensitive App Data: It targeted widely used applications, including Evernote, Notes, Skype, Telegram, QQ, and WeChat, to steal user information.
• Capturing Screenshots: The malware discreetly took screenshots of the user's active screen, potentially exposing confidential data.
• Uploading Stolen Files: It exfiltrated files from the compromised machine to an attacker-controlled server.
• Deploying Ransomware: If instructed by its command-and-control (C2) server, XCSSET encrypted files and displayed a ransom note, locking users out of their own data.

The UXSS (Universal Cross-Site Scripting) attack had the potential to alter nearly every aspect of a user's browsing experience by injecting arbitrary JavaScript code. Some of the key modifications it could make included:  

• Website Modifications: The attack could alter the appearance and content of websites visited by the user.
• Cryptocurrency Address Manipulation: It could replace or modify displayed Bitcoin or other cryptocurrency addresses.
• Credential Theft: The malware targeted user credentials from services such as amoCRM, Apple ID, Google, PayPal, SIPMarket, and Yandex.
• Credit Card Information: Sensitive data, such as credit card details, could be stolen, particularly from the Apple Store.
• Password Hijacking: It blocked users from changing their passwords while simultaneously capturing any new passwords entered.
• Screenshot Capture: The malware was capable of capturing screenshots of specific sites that the user accessed.
• This distribution method was notably clever, as it allowed the malware to silently spread and manipulate user activity without being immediately detected.

XCSSET in 2021: Refined tactics and expanded reach

The first version of XCSSET was observed to collect data from various applications and transmit it to a command-and-control (C&C) server. Initially, the purpose of this data collection was unclear, but further analysis revealed that the stolen data contained sensitive and valuable information, which could be exploited in various ways.  

One example of the malware's operation is demonstrated by the malicious AppleScript file "telegram.applescript," targeting the Telegram app. This script’s primary function is to compress the folder “~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram” into a .ZIP file and then upload it to the C&C server. XCSSET malware has been found to steal critical privacy data from numerous applications, much of which is stored in their sandbox directories. A similar method was observed with the Chrome browser.

In Chrome, XCSSET targets sensitive data such as stored passwords. To extract this data, the malware requires the “safe_storage_key,” which can be obtained using the command “security find-generic-password -wa ‘Chrome.’” However, this command necessitates root privileges. To bypass this requirement, the malware groups all operations that demand root privileges into a single function, prompting the user with a fake dialog box to grant access. Once the “safe_storage_key” is obtained, the malware decrypts the stored passwords and uploads the data to the C&C server. Similar methods have been used to target applications such as Contacts, Evernote, Notes, Opera, Skype, WeChat, and others.  

The discovery of new command-and-control (C&C) domains for XCSSET in April 2021 marked a significant development in the malware's infrastructure. These domains: atecasec.com, linebrand.xyz, mantrucksxyz, monotal.xyz, nodeline.xyz, and sidelink.xyz, were linked to the IP address 94[.]130[.]27[.]189, which had been previously associated with the malware. The fact that these domains were secured with HTTPS certificates from "Let's Encrypt" valid until July 2021 indicated that the attackers had actively taken measures to maintain the security and integrity of their communication channels. This encryption takes measures to maintain the security and integrity of their communication channels. This encryption suggested the attackers were making efforts to prevent detection and ensure their C&C infrastructure remained functional and protected from potential takedowns. The movement of domains, such as icloudserv.com, from a non-malicious IP address to the same 94[.]130[.]27[.]189 address, further underscored the dynamic nature of the malware's operational tactics. By April 2021, all C&C domains were resolved to the IP address 194[.]87[.]186[.], reflecting a shift in the malware's command server structure.  

The introduction of a new domain (irc-nbg.v001.com) to the original C&C IP address indicated that XCSSET might have expanded its functionality, potentially setting up an IRC server for communication. While it was not directly linked to the malware at the time, this move showed how adaptable and evolving the attackers' infrastructure could be.  

In the months following, in June 2021, a significant change occurred when the original C&C domains used by XCSSET were removed, and a fresh batch of domains appeared. These included atecasec.info, datasomatic.ru, icloudserv.ru, lucidapps.info, relativedata.ru, revokecert.ru, and safariperks.ru. This shift in C&C infrastructure demonstrated the malware's ability to rapidly adapt and switch to new servers when the existing ones were compromised or detected. However, by the end of June 2021, these new servers were also taken offline, and since then, the location of XCSSET's current servers remained unclear.    

The XCSSET malware has been found exploiting a newly discovered third zero-day vulnerability to bypass Apple's Transparency, Consent, and Control (TCC) framework. One of the known vulnerabilities, CVE-2021-30713, is an improper authentication flaw affecting multiple macOS versions, enabling unauthorized access to restricted system resources. This vulnerability has also been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.  

‍XCSSET in 2022: Evolving strategies to evade detection

In 2022, XCSSET malware had continued to leverage SHC-compiled shell scripts and run-only AppleScripts to obfuscate both droppers and payloads, making static detection challenging. SHC Binaries contained minimal readable strings, preventing signature-based identification. The malware had also shifted its disguise, embedding its primary executable in a fake  Notes.app, replacing earlier iterations where it masqueraded as fake Xcode.app in 2020 and Mail.app in 2021. These fake apps were dropped in randomly generated directories within the user's Library folder.  

To further evade detection, the malware had introduced randomized variables within its  replicator.applescript, modifying --max-time values (ranging from 5 to 9 seconds) and altering the phaseName variable to hinder static analysis and detection rules. Additionally, XCSSET had changed its cache storage directory from ~/Library/Caches/GeoServices/ to ~/Library/Caches/GitServices/, reinforcing its ability to blend in with legitimate system files.  

The malware had continued targeting widely used applications, particularly chat apps like Telegram, WeChat, and Tencent 360, along with an expanded list of browsers such as Opera, Brave, and Edge. Multiple malicious run-only AppleScripts had been used to steal and exfiltrate sensitive user data. The contacts.applescript had specifically targeted chat applications, while payloader.applescript had gathered hardware profiling data, checking for display type and system updates to better tailor attacks. The listing.applescript had assessed Apple’s XProtect and MRT status, allowing attackers to deploy more effective payloads. For exfiltrating large stolen data files, XCSSET had utilized the public service transfer.sh to offload data beyond attacker-controlled servers.  

XCSSET in 2025: The latest adaptations

Microsoft Threat Intelligence has identified a new variant of XCSSET, a modular macOS malware that infects Xcode projects. Although currently observed in limited attacks, this latest variant introduces advanced obfuscation techniques, updated persistence mechanisms, and new infection strategies, further enhancing its capabilities. Previously known for targeting digital wallets, collecting data from the Notes app, and exfiltrating system information, XCSSET now poses an even greater threat to macOS users.

‍Obfuscation:

The malware’s obfuscation methods have been significantly improved, incorporating a more randomized approach for payload generation. Unlike earlier versions that relied solely on xxd (hexdump) for encoding, this variant also utilizes Base64, with both the encoding technique and number of iterations being randomized. Additionally, module names within the code are now obfuscated, making it more difficult to determine their functions.

‍Persistence:

For persistence, XCSSET employs two distinct techniques: the “zshrc” method and the “dock” method.  

The zshrc method involves creating a file named ~/.zshrc_aliases containing the payload and modifying the ~/.zshrc file to execute it whenever a new shell session is started. Meanwhile, the dock method downloads a signed dockutil tool from a command-and-control server, allowing the malware to manipulate dock items. It then replaces the legitimate Launchpad application path with a fake one, ensuring that whenever Launchpad is launched from the dock, both the real application and the malicious payload are executed.

‍Infection Techniques:

The new variant also introduces additional infection techniques, modifying where the payload is placed within an Xcode project. It selects from three different placement methods: TARGET, RULE, or FORCED_STRATEGY; while another method embeds the payload inside the TARGET_DEVICE_FAMILY key under build settings, executing it at a later stage.

XCCSET Techniques mapped to MITRE ATT&CK

• Initial Access: T1190 (Exploit Public-Facing Application), T1195 (Supply Chain Compromise)
• Execution: T1059 (Command and Scripting Interpreter), T1203 (Exploitation for Client Execution), T1072 (Software Deployment Tools), T1204 (User Execution)
• Persistence & Privilege Escalation: T1554 (Compromise Client Software Binary), T1543 (Create/Modify System Process), T1068 (Exploitation for Privilege Escalation), T1548 (Abuse Elevation Control Mechanism)
• Defense Evasion: T1574 (Hijack Execution Flow), T1140 (Deobfuscate/Decode Files), T1211 (Exploitation for Defense Evasion), T1222 (File/Directory Permissions Modification), T1564 (Hide Artifacts), T1036 (Masquerading), T1553 (Subvert Trust Controls)
• Credential Access: T1556 (Modify Authentication Process), T1555 (Credentials from Password Stores), T1212 (Exploitation for Credential Access), T1003 (OS Credential Dumping)
• Discovery: T1087 (Account Discovery), T1010 (Application Window Discovery), T1083 (File and Directory Discovery), T1057 (Process Discovery), T1033 (System Owner/User Discovery)  
• Lateral Movement & Collection: T1021 (Remote Services), T1072 (Software Deployment Tools), T1560 (Archive Collected Data), T1119 (Automated Collection), T1115 (Clipboard Data), T1005 (Data from Local System), T1074 (Data Staged), T1056 (Input Capture), T1113 (Screen Capture)  
• Command & Control, Exfiltration & Impact: T1132 (Data Encoding), T1001 (Data Obfuscation), T1020 (Automated Exfiltration), T1030 (Data Transfer Size Limits), T1041 (Exfiltration Over C2 Channel), T1565 (Data Manipulation)  

Strengthening Defenses Against XCSSET

While the latest XCSSET variant introduces refinements in its tactics, its core behavior remains unchanged.  To protect against the XCSSET malware variant, users should follow these security best practices:  

• Download Apps from Trusted Sources: Only install applications from official marketplaces or trusted sources to minimize exposure to malicious software.
• Verify Xcode Projects: Carefully inspect and verify any Xcode projects before downloading or cloning them, as the malware primarily spreads through infected repositories.
• Use Comprehensive Security Solutions: Deploy multilayered security tools like Trend Micro Maximum Security for enhanced protection against evolving cyber threats.
• Leverage Endpoint Security: Microsoft Defender for Endpoint on Mac detects and mitigates the latest XCSSET variant, reinforcing the need for endpoint protection.
• Stay Vigilant Against Suspicious Activity: Regularly monitor systems for unusual behavior, unauthorized access, or unexpected application modifications.
• By implementing these precautions, users can significantly reduce their risk of infection and safeguard their systems from this sophisticated malware.

‍Final Thoughts

The resurgence of the XCSSET malware variant highlights the ever-changing landscape of macOS cybersecurity threats. With its evolving command infrastructure, the malware continues to adapt, making detection and mitigation increasingly challenging. Its focus on crypto theft and data exfiltration from applications like Telegram and WeChat reflects cybercriminals' shifting tactics in response to the growing digital economy. As XCSSET exploits sophisticated infection strategies, it is crucial for users and developers to implement proactive security measures. Regular system updates, cautious downloading practices, and robust endpoint protection remain essential in defending against such advanced threats. By staying vigilant and informed, macOS users can strengthen their defenses and minimize the risks posed by evolving cyber threats.

Sources Cited:

1. ‍https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf
2. ‍https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html  
3. ‍https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html  
4. ‍https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html  
5. ‍https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/  
6. ‍https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/  
7. ‍https://x.com/MsftSecIntel/status/1891410993265123662  
8. ‍https://hivepro.com/threat-advisory/xcsset-malware-exploits-zero-day-tcc-vulnerability-in-macos/
9. ‍https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief_Followup.pdf