FOCUS MODE
EXTRACT IOC
Threat Research

New XCSSET Malware Adds New Obfuscation and Persistence Techniques to Infect Xcode Projects | Microsoft Security Blog

microsoft
New XCSSET Malware Adds New Obfuscation and Persistence Techniques to Infect Xcode Projects | Microsoft Security Blog
A new variant of XCSSET malware has been discovered, which is specifically designed to infect macOS Xcode projects. This sophisticated malware utilizes advanced obfuscation, updated persistence techniques, and novel infection strategies to exfiltrate sensitive information, including digital wallet data. It operates in a stealthy manner, often remaining fileless, which complicates detection and removal efforts. Affected: macOS, Xcode, software developers

Keypoints :

  • A new variant of XCSSET macOS malware has been identified in the wild.
  • This variant features improved obfuscation and persistence mechanisms.
  • XCSSET targets Xcode projects, exploiting the file-sharing practices of developers.
  • It utilizes a modular approach with encoded payloads and error handling improvements.
  • Stealth tactics include low-profile execution and low-level interaction with the OS.
  • Malware uses scripting languages, UNIX commands, and legitimate binaries.
  • The new variant employs three distinct persistence techniques to remain active.
  • The command-and-control (C2) server is operational and downloads additional modules.
  • Sub-modules can steal system info, including browser extension data and notes.
  • Microsoft has shared its findings with Apple to enhance security measures.

MITRE Techniques :

  • T1195.001: Compromise Software Dependencies and Development Tools – Abusing Xcode projects.
  • T1059.002: AppleScript – Utilizing AppleScript for executing commands.
  • T1059.007: JavaScript – Employing JavaScript payloads for data theft.
  • T1059.004: Unix Shell – Executing shell commands during the infection process.
  • T1560: Archive Collected Data – Compiling stolen data for exfiltration.
  • T1005: Data from Local System – Extracting information from user systems.
  • T1041: Exfiltration Over C2 Channel – Sending data to the C2 server.
  • T1083: File and Directory Discovery – Scouting for user files and directories.
  • T1564.001: Hide Artifacts – Using hidden files and directories to evade detection.
  • T1140: Deobfuscate/Decode Files or Information – Decoding payloads during execution.

Indicator of Compromise :

  • [Domain] bulknames[.]ru
  • [Domain] castlenet[.]ru
  • [Domain] chaoping[.]ru
  • [Domain] devapple[.]ru
  • [SHA-256] d338dc9a75a14753f57399815b5d996a1c5e65aa4eb203222d8c85fb3d74b02f

Full Story: https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware-adds-new-obfuscation-persistence-techniques-to-infect-xcode-projects/

Tags: TOOL, UNIX, SOCIAL MEDIA, DISCOVERY, EMAIL, HUNT, MACOS, LEARN