New XCSSET macOS Malware Variant Evolves with Advanced Evasion Tactics and Stealth Methods

A new variant of the XCSSET macOS malware has resurfaced with enhanced evasion tactics and stronger persistence mechanisms, making it harder to detect. The malware continues to spread through infected Xcode projects, targeting developers and their systems. Microsoft urges developers to inspect their projects carefully to avoid infection and prevent further spread.

New XCSSET macOS Malware Variant Evolves with Advanced Evasion Tactics and Stealth Methods

A new variant of the XCSSET malware has resurfaced, posing an increasing threat to macOS users, particularly developers. Microsoft recently issued a warning about the updated malware, marking its first significant update since 2022. The malware, primarily distributed through compromised Xcode projects, has become more advanced, incorporating new evasion tactics, stronger persistence mechanisms, and enhanced infection strategies that make it harder to detect and remove.

XCSSET continues to be a significant threat due to its ability to steal sensitive data, such as digital wallet information, and its capacity to collect user files and exfiltrate information. The malware has been spreading through infected Xcode projects since its discovery in 2020, which remains its primary method of distribution. Once an infected Xcode project is cloned or downloaded, the malware embeds itself in the developer’s system and spreads when the code is shared with others.

The latest variant of XCSSET introduces several new tactics to improve its stealth and persistence. Microsoft reports that the malware employs advanced obfuscation techniques, making it more difficult to analyze and detect. It uses a combination of Base64 encoding and xxd encoding to randomize its approach and further hide its activities. Additionally, the malware obfuscates its module names at the code level, complicating efforts to understand its function. These tactics ensure that the malware can continue to operate undetected for longer periods.

Persistence mechanisms have also been upgraded. One technique involves modifying the user’s ~/.zshrc file, ensuring that the malware is launched every time a new shell session starts. Another method is the use of a signed dockutil tool downloaded from the attacker’s command-and-control server, which replaces the legitimate Launchpad entry with a fake one. This allows the malicious payload to execute whenever the Launchpad is opened, reinforcing the malware’s ability to maintain a long-term presence on an infected system.

The malware’s ability to spread within the development environment is particularly concerning. XCSSET now injects its payloads in more varied ways within infected Xcode projects, utilizing methods like TARGET, RULE, and FORCED_STRATEGY to place malicious code. The payload can also be hidden under the TARGET_DEVICE_FAMILY key in build settings, allowing the malware to be executed later in the development process. This has proven to be an effective method for spreading the malware, as infected developers unknowingly distribute it when sharing their Xcode projects with others.

Security researchers highlight the danger of XCSSET’s distribution model, which bypasses traditional verification methods. Since the malware is embedded in Xcode projects that developers actively share, it is often difficult for users to detect that they are dealing with compromised files. Trend Micro has previously described this distribution method as “clever,” noting that developers may inadvertently spread the malware to others without realizing it.

The resurgence of XCSSET signals a broader trend of increasing threats to the macOS ecosystem, especially targeting developers through supply chain attacks. Experts warn that as cybercriminals evolve their tactics, they are focusing on high-impact entry points within Apple’s software ecosystem. By exploiting the trust developers and users place in the software, attackers can launch attacks that extend beyond the developer’s machine to affect end users of the infected applications. The rise of malware-as-a-service (MaaS) has contributed to the growing threat landscape, making these kinds of attacks more accessible to cybercriminals.

In response to the new variant, Microsoft recommends that macOS users, particularly developers, take extra precautions to prevent infections. The company emphasizes the importance of inspecting and verifying any Xcode projects downloaded or cloned from repositories, as these are often the means by which XCSSET spreads. Microsoft also advises users to only install applications from trusted sources, such as official app stores, to mitigate risks.

Security experts also point out that XCSSET has historically been able to bypass macOS’s Transparency, Consent, and Control (TCC) protections. This has allowed the malware to record screens, steal credentials, and access sensitive data from applications such as Telegram, Chrome, and Skype. With this latest update, Microsoft continues to warn that macOS threats are evolving rapidly, underscoring the importance of proactive security measures. As the malware’s capabilities grow, developers and organizations must prioritize threat detection, implement endpoint security solutions, and enforce strict software verification practices to safeguard their environments against this rising malware threat.