Microsoft Threat Intelligence has identified an evolved iteration of the XCSSET malware family actively exploiting macOS developers via weaponized Xcode projects.
This modular backdoor, first documented in 2020, now employs advanced obfuscation techniques, refined persistence mechanisms, and novel infection vectors to subvert Apple’s security frameworks and compromise software supply chains.
The 2024 variant introduces multi-layered encoding strategies to evade static analysis. While earlier versions relied on SHC-compiled shell scripts and run-only AppleScripts to obscure malicious logic, the updated strain randomizes encoding algorithms between Base64 and xxd hexdump operations.
This variability disrupts signature-based detection, as each payload iteration generates distinct cryptographic fingerprints.
Crucially, the malware dynamically selects encoding iterations (between 5–9 cycles) during runtime, further complicating reverse-engineering efforts.
At the filesystem level, XCSSET now deploys modular components within falsified application bundles.
Recent campaigns disguise the primary executable (a.scpt) inside a counterfeit Notes.app, strategically placed in non-standard Library subdirectories like ~/Library/Application Scripts/com.apple.CalendarAgent.
This masquerading technique exploits macOS’s trust in system-adjacent directories, bypassing Gatekeeper checks.
Persistent Execution via Dual Mechanisms
The malware establishes persistence through two parallel methodologies:
Zshrc Injection: By appending malicious shell commands to ~/.zshrc, XCSSET ensures payload reactivation upon every terminal session initiation. This leverages macOS’s default Zsh environment to execute a hidden script (~/.zshrc_aliases) containing the encoded backdoor.
Dock API Manipulation: Utilizing a signed dockutil binary fetched from command-and-control (C2) servers, the malware replaces the legitimate Launchpad entry with a malicious counterpart.
This ensures execution whenever users interact with the Dock, while maintaining the appearance of normal system behavior.
Xcode Project Infection Methodologies
XCSSET’s updated replicator.applescript module employs three primary strategies to infiltrate Xcode workspaces:
TARGET Injection: Modifies the TARGET_DEVICE_FAMILY build setting to execute malicious scripts during compilation phases like “Copy Bundle Frameworks” or “Compile Swift Frameworks”.
RULE Exploitation: Injects build rules that trigger payload deployment before linking binaries, often disguised as legitimate code-signing operations.
FORCED_STRATEGY Payloads: Directly overwrites .pbxproj files to reference hidden assets containing Mach-O malware and bootstrap scripts.
These techniques enable supply chain attacks when developers share infected projects via GitHub or CocoaPods repositories, potentially compromising downstream applications.
Microsoft Defender for Endpoint now recognizes behavioral patterns associated with XCSSET’s updated modules, including:
- Anomalous AppleScript compilation events via osacompile -x -e targeting non-standard app bundles.
- Unscheduled writes to ~/Library/Caches/GeoServices/ or ~/Library/Caches/GitServices/ directories.
- Unexpected network traffic to newly registered C2 domains like superdocs.ru or gismolow.com.
Organizations should enforce code-signing verification for all Xcode dependencies and monitor for unauthorized SSH key generation in ~/.ssh/authorized_keys.
Developers must audit project files for unfamiliar build phase references or hidden xcassets directories containing executable payloads.
As XCSSET continues to exploit macOS’s scripting ecosystems, the incident underscores the critical need for runtime protection mechanisms alongside static analysis.
Microsoft recommends enabling tamper protection in Defender for Endpoint to block unauthorized process injection attempts targeting Xcode or Safari instances.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar