Microsoft Threat Intelligence has identified an evolved iteration of the XCSSET malware family actively exploiting macOS developers via weaponized Xcode projects. This modular backdoor, first documented in 2020, now employs advanced obfuscation techniques, refined persistence mechanisms, and novel infection vectors to subvert Apple’s security frameworks and compromise software supply chains.

New XCSSET Malware Attacking macOS Users by Infecting Xcode Projects

Microsoft Threat Intelligence has identified an evolved iteration of the XCSSET malware family actively exploiting macOS developers via weaponized Xcode projects. This modular backdoor, first documented in 2020, now employs advanced obfuscation techniques, refined persistence mechanisms, and novel infection vectors to subvert Apple’s security frameworks and compromise software supply chains.

Image courtesy of Cybersecurity News

The 2024 variant introduces multi-layered encoding strategies to evade static analysis. While earlier versions relied on SHC-compiled shell scripts and run-only AppleScripts to obscure malicious logic, the updated strain randomizes encoding algorithms between Base64 and xxd hexdump operations. This variability disrupts signature-based detection, as each payload iteration generates distinct cryptographic fingerprints. Crucially, the malware dynamically selects encoding iterations (between 5–9 cycles) during runtime, further complicating reverse-engineering efforts.

At the filesystem level, XCSSET now deploys modular components within falsified application bundles. Recent campaigns disguise the primary executable (a.scpt) inside a counterfeit Notes.app, strategically placed in non-standard Library subdirectories like ~/Library/Application Scripts/com.apple.CalendarAgent. This masquerading technique exploits macOS’s trust in system-adjacent directories, bypassing Gatekeeper checks.

Persistent Execution via Dual Mechanisms

The malware establishes persistence through two parallel methodologies:

Zshrc Injection : By appending malicious shell commands to ~/.zshrc, XCSSET ensures payload reactivation upon every terminal session initiation. This leverages macOS’s default Zsh environment to execute a hidden script (~/.zshrc_aliases) containing the encoded backdoor.

Dock API Manipulation : Utilizing a signed dockutil binary fetched from command-and-control (C2) servers, the malware replaces the legitimate Launchpad entry with a malicious counterpart. This ensures execution whenever users interact with the Dock, while maintaining the appearance of normal system behavior.

Xcode Project Infection Methodologies

XCSSET’s updated replicator.applescript module employs three primary strategies to infiltrate Xcode workspaces:

TARGET Injection : Modifies the TARGET_DEVICE_FAMILY build setting to execute malicious scripts during compilation phases like “Copy Bundle Frameworks” or “Compile Swift Frameworks.”

RULE Exploitation : Injects build rules that trigger payload deployment before linking binaries, often disguised as legitimate code-signing operations.

FORCED_STRATEGY Payloads : Directly overwrites .pbxproj files to reference hidden assets containing Mach-O malware and bootstrap scripts.

These techniques enable supply chain attacks when developers share infected projects via GitHub or CocoaPods repositories, potentially compromising downstream applications.

Microsoft Defender for Endpoint now recognizes behavioral patterns associated with XCSSET’s updated modules, including:

• Anomalous AppleScript compilation events via osacompile -x -e targeting non-standard app bundles.
• Unscheduled writes to ~/Library/Caches/GeoServices/ or ~/Library/Caches/GitServices/ directories.
• Unexpected network traffic to newly registered C2 domains like superdocs.ru or gismolow.com.

Organizations should enforce code-signing verification for all Xcode dependencies and monitor for unauthorized SSH key generation in ~/.ssh/authorized_keys. Developers must audit project files for unfamiliar build phase references or hidden xcassets directories containing executable payloads. As XCSSET continues to exploit macOS’s scripting ecosystems, the incident underscores the critical need for runtime protection mechanisms alongside static analysis.

Microsoft recommends enabling tamper protection in Defender for Endpoint to block unauthorized process injection attempts targeting Xcode or Safari instances.

Zero-Day TCC Bypass Discovered in XCSSET Malware

A zero-day discovery allows an attacker to bypass Apple’s TCC protections, which safeguard privacy. By leveraging an installed application with the proper permissions set, the attacker can piggyback off that donor app when creating a malicious app to execute on victim devices, without prompting for user approval.

Image courtesy of Jamf

In the latest macOS release (11.4), Apple patched a zero-day exploit (CVE-2021-30713) which bypassed the Transparency Consent and Control (TCC) framework. This is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. The exploit could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — the default behavior.

Upon initial discovery, notable features of the XCSSET malware included the utilization of two zero-day exploits to steal Safari browser cookies and bypass prompts to install a developer version of Safari. Jamf discovered that XCSSET has also been exploiting a third zero-day to bypass Apple’s TCC framework.

What is TCC?

From the user’s perspective, TCC is the prompt they receive when a program attempts to perform an action that requires explicit permission. Other examples include saving files to the Documents directory or taking a screenshot. When an application attempts such an action, the user is presented with a prompt asking them to grant or deny permission.

Image courtesy of Jamf

The Bypass

While dissecting the malware, Jamf Protect detection team members noted an AppleScript module titled “screen_sim.applescript.” Inside, they observed a check called “verifyCapturePermissions” being used, which takes an application ID as an argument.

Image courtesy of Jamf

This section of the script checks for capture permissions from a list of installed applications. The malware then uses the command-line-based version of Spotlight to check if specific app IDs are installed on the victim’s device. If any are found, the malware crafts a custom AppleScript application and injects it into the installed donor application.

The script executes actions like downloading the XCSSET AppleScript screenshot module from the malware author’s command and control (C2) server, converting it to an AppleScript-based application, modifying the Info.plist to run as a background process, and concealing its presence from the user.

Once all files are in place, the custom application will piggyback off of the parent application, allowing the malicious application to take screenshots or record the screen without explicit consent from the user. This represents a considerable privacy concern for end-users.

Indicators of Compromise (IoC)

During research, multiple hashes were found that were previously unidentified by VirusTotal, indicating that XCSSET malware has compromised various Xcode projects.

Command and Control Domains:

• trendmicronano.com
• findmymacs.com
• adoberelations.com

Affected Xcode Project Filenames

• Assets.xcassets
• build.file
• xctool

Image courtesy of Jamf

XCSSET Mac Malware: Infects Xcode Projects, Uses 0Days

Further investigation led to the discovery of a developer’s Xcode project that contained XCSSET source malware. This malware primarily spreads via Xcode projects and maliciously modified applications created from the malware. It poses risks for Xcode developers specifically, as affected developers unwittingly distribute the trojan to their users through compromised projects.

Once present on an affected system, XCSSET is capable of:

• Using exploits to steal user data from browsers like Safari.
• Taking screenshots of the user’s current screen.
• Uploading files from the affected machines to the attacker’s specified server.
• Encrypting files and showing a ransom note.

The method of distribution can be described as clever; affected developers distribute the malicious trojan in the form of compromised Xcode projects.

To protect systems from this type of threat, users should only download apps from official and legitimate marketplaces. Users can also consider multilayered security solutions such as Trend Micro Antivirus for Mac, which provides comprehensive security against cyberthreats.

GrackerAI is an AI-powered cybersecurity marketing platform designed to help organizations transform security news into strategic content opportunities. Explore our services or contact us at GrackerAI for more information.