Microsoft uncovers new variant of XCSSET macOS malware in targeted attacks

Microsoft uncovers new variant of XCSSET macOS malware in targeted attacks

Microsoft uncovers new variant of XCSSET macOS malware in targeted attacks

Microsoft Threat Intelligence researchers found a new XCSSET macOS malware variant used in limited attacks.

Microsoft Threat Intelligence researchers have discovered a new version of the macOS malware XCSSETthat has been employed in limited attacks.

Trend Micro first spotted the malware in 2020 when it was spreading through Xcode projects and exploiting two zero-day vulnerabilities to steal sensitive information from target systems and launch ransomware attacks.

The new XCSSET version can steal Firefox data and hijack the clipboard. It avoids detection using encryption and obfuscation techniques, and runs secret AppleScripts. The malware supports an additional persistence mechanism throughLaunchDaemonentries.

“This variant features a submodule designed to monitor the clipboard and references a downloaded configuration file containing address regex patterns associated with various digital wallets.” reads the report.“If a pattern match is detected, XCSSET is capable of substituting the clipboard content with its own predefined set of wallet addresses.”

The updated stage also downloads and runs several new modules, extending the malware’s functionality compared with the older variant.

“This new variant has added an info-stealer module to exfiltrate data stored by Firefox. TherunMe()function is invoked at first to download a Mach-O FAT binary, which is responsible for all info stealing operations, from the C2 server.” continues the report. “This downloaded binary appears to be a modified version of a GitHub projectHackBrowserData, which is capable of decrypting and exporting browser data stored by browsers. Passwords, history, credit card information, and cookies are some of the key information it can extract from almost all popular browsers.”

The new XCSSET variant implements a four-stage infection chain. The initial three stages are consistent with previous variants. Microsoft detailed the fourth stage, which includes theboot()function and its associated calls to download and run submodules.

The new XCSSET variant includes several focused submodules:

  • vexyeqj (info-stealer): downloads and runs a compiled AppleScript (bnk), decrypts C2 config (AES), inspects and exfiltrates clipboard data, and can replace clipboard contents with attacker wallet addresses.
  • bnk (payload): run-only AppleScript that gathers serial/user info, validates/filters clipboard content, encrypts and posts data to C2.
  • neq_cdyd_ilvcmwx (file-stealer): fetches and runs additional AppleScripts from C2 to exfiltrate files.
  • xmyyeqjx (LaunchDaemon persistence): creates ~/.root, disables macOS auto/rapid updates, builds a fake System Settings app, writes a com.google.* LaunchDaemon plist, sets root ownership and loads it.
  • jey (obfuscation/persistence): shell-based payload decryption and execution with improved obfuscation.
  • iewmilh_cdyd (Firefox stealer): downloads a Mach-O binary (modified HackBrowserData) to export Firefox passwords, cookies, cards and uploads zipped results.

Across modules it uses run-only AppleScripts, AES-encrypted C2 configs, clipboard hijacking for crypto fraud, temp file cleanup, and chunked exfiltration to reduce local artifacts.

To mitigate this threat: keep OS and apps updated and promptly apply security patches; always inspect Xcode projects from repositories to avoid infected code; verify clipboard contents before pasting to prevent hijacking; use browsers like Microsoft Edge with SmartScreen to block malicious sites; install Microsoft Defender for Endpoint on Mac for malware detection and quarantine. Activate cloud protection, automatic sample submission, PUA protection, and network protection in Defender to block threats and unwanted applications, and restrict access to malicious domains.

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,malware)

azaeo.com – datalake

File fishes formats available in:

TextoJSONJSON-LDXMLHTMLHTML SourcePDFMarkdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.