XCSSET Returns: New Variant Steals Firefox Data and Hijacks Crypto Wallets
Microsoft researchers have identified a new variant of XCSSET, the macOS-targeting malware that has plagued developers since 2020. This family, notorious for spreading through Xcode projects by embedding malicious code, has now evolved with fresh techniques designed to evade detection and expand its data theft capabilities.
While the infection chain remains four-staged, the final phase has been reengineered. Among the most notable additions is a module targeting Firefox, which leverages a modified version of the open-source tool HackBrowserData to extract sensitive information. A new clipboard hijacker has also been introduced: whenever a user copies a cryptocurrency wallet address, the malware substitutes it with the attacker’s own.
To maintain persistence, the malware creates a LaunchDaemon that executes a concealed file under the name .root. It further disguises its activity by planting a decoy application, System Settings.app, in the /tmp directory. For anti-analysis measures, the code incorporates compiled AppleScripts with the run-only flag, while system survivability is enhanced by disabling both macOS automatic updates and Rapid Security Responses. These refinements allow the attackers to remain undetected for extended periods while maximizing their chances of monetizing the intrusion.
For developers, the threat vector remains unchanged: an infected Xcode project activates the malware during the build process, effectively causing the programmer to execute the implant alongside their own code. Researchers had already warned in February that counterfeit repositories and public projects were being used as distribution channels. The latest variant makes the injection even stealthier, exploiting additional project configuration tricks.
According to Microsoft, observed attacks are still limited in scope, yet the persistence of XCSSET underscores how attractive Apple’s developer ecosystem remains to cybercriminals. Technical details have been shared with Apple, and in cooperation with GitHub, repositories containing compromised projects have been taken down.
Redmond advises developers to thoroughly vet projects before compiling, keep macOS updated, and deploy security tools capable of detecting suspicious daemons and property list modifications.
Though XCSSET lacks the notoriety of ransomware strains like LockBit, its resilience is remarkable. For anyone working with Xcode, the lesson is unmistakable: trust cannot be assumed — the next build may carry more than just your code.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
