Cybersecurity researchers have discovered an advanced variant of the XCSSET malware specifically targeting macOS developers through infected Xcode projects, introducing sophisticated clipboard hijacking and enhanced data exfiltration capabilities.
Microsoft Threat Intelligence has identified yet another XCSSET variant in the wild that introduces further updates and new modules beyond those detailed in previous security analyses.
The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built.
Security experts note that this mode of infection and propagation banks on project files being shared among developers building Apple or macOS-related applications.
This new variant of XCSSET brings significant changes related to browser targeting, clipboard hijacking, and persistence mechanisms.
It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data.
The malware also adds another persistence mechanism through LaunchDaemon entries, making it more difficult to detect and remove.
The most concerning addition is a submodule designed to monitor the clipboard continuously. This module references a downloaded configuration file containing address regex patterns associated with various digital wallets.
If a pattern match is detected, XCSSET can substitute the clipboard content with its own predefined set of wallet addresses, effectively hijacking cryptocurrency transactions.
Technical Analysis of New Modules
The latest XCSSET variant follows a four-stage infection chain, with the fourth stage introducing several new malicious modules.
The vexyeqj info-stealer module downloads and executes a run-only compiled AppleScript called “bnk,” which performs sophisticated clipboard monitoring and cryptocurrency wallet hijacking.
This module uses AES encryption with a hardcoded key (27860c1670a8d2f3de7bbc74cd754121) to decrypt configuration data received from command and control servers.
The malware’s clipboard hijacking functionality is particularly sophisticated. It checks if the clipboard content matches cryptocurrency wallet address patterns, verifies the frontmost application against a blocklist, and ensures the clipboard data differs from previous entries. When conditions are met, it replaces legitimate wallet addresses with attacker-controlled alternatives.
A new iewmilh_cdyd module specifically targets Firefox browser data, downloading a modified version of the HackBrowserData project.
This compiled binary can extract passwords, browsing history, credit card information, and cookies from Firefox installations. The stolen data is compressed into ZIP files and exfiltrated to command and control servers in chunks.
The runMe() function is invoked at first to download a Mach-O FAT binary, which is responsible for all info stealing operations, from the C2 server.
The neq_cdyd_ilvcmwx file-stealer module retrieves additional scripts from C2 servers and operates as a compiled AppleScript, similar to previous wallet data stealers but with enhanced capabilities for broader file exfiltration.
The xmyyeqjx module establishes LaunchDaemon-based persistence by creating a ~/.root file and associated plist entries. This persistence mechanism masquerades as legitimate system processes using prefixes like “com.google.” in plist names. The module also disables macOS automatic configuration updates and Rapid Security Response mechanisms, weakening the system’s defensive capabilities.
Additionally, the jey module maintains Git-based persistence with improved obfuscation. Unlike previous variants that executed direct concatenation of encrypted payloads, the new version encapsulates decryption logic within shell functions for enhanced stealth.
Mitigations
Security experts recommend several defensive measures against this evolving threat. Organizations should maintain updated operating systems and applications, carefully inspect Xcode projects from external sources, and exercise caution when handling clipboard data, especially cryptocurrency addresses.
Microsoft recommends using browsers with SmartScreen protection like Microsoft Edge, deploying Microsoft Defender for Endpoint on Mac, and enabling cloud-delivered protection with automatic sample submission.
Network protection should be activated to block connections to malicious domains associated with this campaign.
The discovery of this enhanced XCSSET variant demonstrates the malware’s continued evolution and the persistent threat it poses to macOS developers and the broader software supply chain.
| Indicator | Type | Description |
| cdntor[.]ru | Domain | C2 server |
| checkcdn[.]ru | Domain | C2 server |
| cdcache[.]ru | Domain | C2 server |
| applecdn[.]ru | Domain | C2 server |
| flowcdn[.]ru | Domain | C2 server |
| elasticdns[.]ru | Domain | C2 server |
| rublenet[.]ru | Domain | C2 server |
| figmastars[.]ru | Domain | C2 server |
| bulksec[.]ru | Domain | C2 server |
| dobetrix[.]ru | Domain | C2 server |
| figmacat[.]ru | Domain | C2 server |
| digichat[.]ru | Domain | C2 server |
| diggimax[.]ru | Domain | C2 server |
| cdnroute[.]ru | Domain | C2 server |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
