IT'S BA-ACK! Microsoft warns that the powerful XCSSET macOS malware is back with new tricks XCSSET has been targeting Mac users since 2020. Dan Goodin Feb 18, 2025 4:04 pm | 20 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreMicrosoft said it has detected a new variant of XCSSET, a powerful macOS malware family that has targeted developers and users since at least 2020.The variant, which Microsoft reported Monday, marked the first publicly known update to the malware since 2022. The malware first came to light in 2020, when security firm Trend Micro said it had targeted app developers after spreading through a publicly available project the attacker wrote for Xcode, a developer tool Apple makes freely available. The malware gained immediate attention because it exploited what, at the time, were two zero-day vulnerabilities, a testament to the resourcefulness of the entity behind the attacks.In 2021, XCSSET surfaced again, first when it was used to backdoor developers devices and a few months later when researchers found it exploiting what at the time was a new zero-day.New enhanced featuresMicrosoft said it has detected the new variant in limited attacks so far. Improvements in it include:Two previously unseen persistence methods for ensuring compromised devices remain permanently infected. One new method creates a file named ~/.zshrc_aliases that contains the malicious payload. The new variant then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated. The other new method creates a fake Launchpad app and replaces the legitimate Launchpad path entry with the path for the new one. From then on, the malicious payload is started each time Launchpad is started from the macOS dock.Enhanced infection methods. One method allows the attacker to choose options, including TARGET, RULE, or FORCED_STRATEGY, for when the XCSSET will trigger its payload. The other method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a latter phase, Microsoft said.Enhanced obfuscation methods, mainly in the form of a significantly more randomized approach for generating payloads to infect Xcode projects. The increased randomization makes spotting the malicious code much harder. The new XCSSET variant also Base64-encodes the module names it creates, again making detection of them more difficult.These enhanced features add to this malware familys previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files, Microsoft wrote. XCSSET contains multiple modules for collecting and exfiltrating sensitive data from infected devices.Microsoft Defender for Endpoint on Mac now detects the new XCSSET variant, and its likely other malware detection engines will soon, if not already. Unfortunately, Microsoft didnt release file hashes or other indicators of compromise that people can use to determine if they have been targeted. A Microsoft spokesperson said these indicators will be released in a future blog post.To avoid falling prey to new variants, Microsoft said developers should inspect all Xcode projects downloaded or cloned from repositories. The sharing of these projects is routine among developers. XCSSET exploits the trust developers have by spreading through malicious projects created by the attackers.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 20 Comments