SQ Magazine

Smarter Insights for a Fast-Moving Digital World

Microsoft Uncovers New XCSSET macOS Malware Variant Targeting Xcode Developers

Published on: September 26, 2025
As Featured In
BluehostActive CampaignDesignrushSeeking AlphaResearch Com

A new and more dangerous version of the XCSSET macOS malware has been discovered, and it’s aiming straight at Apple developers.

Quick Summary – TLDR:

  • Microsoft has identified a new variant of XCSSET malware targeting macOS systems through infected Xcode projects.
  • The malware steals browser data, cryptocurrency, and sensitive developer content.
  • It uses advanced evasion tactics like encrypted communications and fake system apps.
  • Developers are urged to inspect shared Xcode projects and update macOS regularly.

What Happened?

Microsoft Threat Intelligence has uncovered a sophisticated new strain of the XCSSET malware. This version enhances its ability to steal data and persist on macOS systems by exploiting the trust and collaboration among developers who share Xcode projects.

The malware executes when developers build infected projects, silently running in the background while stealing data, hijacking cryptocurrency transactions, and disabling security updates.

Malware Targets macOS Developers via Xcode

XCSSET spreads by embedding malicious code into Xcode projects, which are widely used by Apple developers. Once a developer builds an infected project, the malware executes immediately.

Microsoft explained, “The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built.”

  • Malware attaches to Xcode projects and spreads when developers unknowingly share code.
  • Executes silently during project builds.
  • Leverages trusted development environments to hide its activity.

Expanded Data Theft and Browser Targeting

The new variant extends its reach beyond Safari and Chrome. It now targets Firefox browser data using a modified version of HackBrowserData, a legitimate open-source tool that extracts passwords, cookies, credit card details, and browsing history.

  • Firefox joins Safari and Chrome as targets for data exfiltration.
  • Stolen data includes login credentials and saved personal info.
  • This poses a serious threat to both personal and professional digital assets.
Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Clipboard Hijacking to Steal Cryptocurrency

A particularly harmful feature is the malware’s ability to monitor the clipboard for patterns that resemble cryptocurrency wallet addresses.

When detected, the malware replaces the copied address with one belonging to the attacker, tricking users into sending crypto funds to a fraudulent wallet.

  • Detects and replaces copied wallet addresses using regex.
  • Crypto transactions are silently redirected.
  • Users could lose large sums without realizing it.

Stealth and Persistence Tactics

This variant of XCSSET goes beyond previous versions in its ability to remain hidden. It uses run-only compiled AppleScripts and AES encryption to evade traditional security scans and reverse engineering.

It also creates LaunchDaemon entries and fake apps like “System Settings.app” in temporary folders. These appear legitimate but act as backdoors, granting persistent access to the system.

  • Uses hardcoded AES keys for secure communication with C2 servers.
  • Disables Apple’s Rapid Security Response and update features.
  • Communicates with suspicious domains disguised as content delivery networks.

What Developers Should Do?

Microsoft and cybersecurity experts strongly recommend the following actions:

  • Inspect all Xcode projects, especially shared or downloaded ones, for hidden malicious code.
  • Keep macOS and apps up to date to avoid unpatched vulnerabilities.
  • Use tools like Microsoft Defender for Endpoint on Mac for behavioral detection.
  • Verify clipboard contents before pasting sensitive data like wallet addresses.

SQ Magazine’s Takeaway

If you’re an Apple developer, this malware should be on your radar. As someone who writes and shares code regularly, I know how easy it is to trust a shared project without checking every detail. But that trust is exactly what this malware exploits. The idea that just building a project could secretly install a backdoor or reroute crypto funds is terrifying. Stay vigilant, verify your tools, and update everything. This isn’t just a warning for big companies. It’s a wake-up call for every solo dev working on a Mac.

SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer

Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment

Company
Discover
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity