Microsoft spies a new and worrying macOS malware strain

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)

  • Microsoft warns of new version of the XCSSET infostealer
  • It comes with new obfuscation, infection, and persistence techniques
  • Experts warn all users to be careful

Microsoft says it has spotted a new strain of an old macOS malware variant, one which comes with better obfuscation techniques, more persistence, and new infection mechanisms.

In a short X post, Microsoft detailed discovering a new version of XCSSET, which it describes as a “sophisticated modular macOS malware” that targets users through infected Xcode projects.

Xcode is Apple's official integrated development environment (IDE) for creating apps on macOS, iOS, iPadOS, watchOS, and tvOS. It includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps.

Limited attacks

In essence, XCSSET is an infostealer. It is capable of pulling system information and files, stealing digital wallet data, and grabbing information from the official Notes app. Its latest iteration comes after more than two years of being dormant, and appears to come with significant improvements.

To better hide itself, XCSSET now uses a “significantly more randomized” approach for generating payloads to infect Xcode projects, Microsoft explained. For persistence, XCSSET now uses two techniques, called “zshrc” and “dock”. In the first one, the malware creates a file named ~/.zshrc_aliases, which contains the payload. It then appends a command in the ~/.zshrc file to make sure the created file is launched every time a new shell session is initiated.

In the second one, the malware downloads a signed dockutil tool from a command-and-control server to manage the dock items. It then creates a fake Launchpad app and replaces the legitimate one’s entry in the doc. That way, when the victim runs the Launchpad from the dock, both the legitimate app and the malware are executed.

As for infection, XCSSET now comes with new methods for where the payload is placed in the Xcode project.

Microsoft said that at this time, it is only seeing the new variant in “limited attacks”, but wanted to sound the alarm on time, so that users and organizations can protect themselves.

“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects,” the company concluded. “They should also only install apps from trusted sources, such as a software platform’s official app store.”

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Image of laptop infected with malware threat
This devious new macOS malware disguises itself as Chrome, Zoom installers
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Latest in Security
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
Latest in News
An Apple Music pink/pixellated poster advertising DJ with Apple Music
DJ with Apple Music lands, allowing subscribers to build and mix DJ sets directly from its +100 million-song catalog
The Meta Quest 3 and controllers on their charging station which is itself on a wooden desk next to a lamp
Forget Android XR, I've got my eyes on Vivo's new Meta Quest 3 competitor as it could be the most important VR headset of 2025
Samsung Galaxy S25 from the front
The Now Bar on Samsung One UI 7 is about to get a lot more useful – and could soon match Live Activities on iOS
Marvel Rivals
Marvel Rivals will get two new hero skins for Moon Knight and Black Panther this week meaning I'll now need to farm even more Units
An iPhone running iOS 18 on a purple and blue background
iOS 18.4 could launch soon with a major upgrade to your iPhone’s notifications
Netflix Ads
Netflix adds HDR10+ support – great news for Samsung TV owners, but don't expect LG and Sony to do the same any time soon