- Researchers found an updated variant of the XCSSET Malware targeting macOS systems.
- The malware now includes new methods for browser targeting, clipboard monitoring, and persistence.
- This version enhances encryption, uses stealthier AppleScripts, and collects data from Firefox browsers.
- It can change copied cryptocurrency wallet addresses to redirect transactions to attacker-controlled wallets.
- Users are advised to keep systems updated and be cautious with Xcode projects and clipboard content.
Researchers with the Microsoft Threat Intelligence team reported the discovery of a new variant of XCSSET, a sophisticated malware that targets Apple macOS. The malware, active in limited attacks, brings updates focusing on browser data theft, clipboard hijacking, and maintaining persistence on infected devices.
The updated XCSSET uses advanced encryption, obfuscation and run-only AppleScripts for stealth, according to Microsoft’s report published Thursday. It can now access and steal data from Mozilla Firefox browsers, and establishes persistence through LaunchDaemon entries, which help the malware stay active on a compromised system.
The new variant expands its data theft options and includes a clipper module that looks for cryptocurrency wallet addresses in the clipboard and swaps them with addresses controlled by attackers, Microsoft said. When users copy a cryptocurrency address, the malware detects this pattern and replaces it, aiming to redirect funds if a transaction occurs. The malware also uses a staged infection process, with the final stage involving an AppleScript app running commands to gather system information and activate modules via a function called boot().
Notable changes in this version include more checks for Firefox and modifications to detect the presence of the Telegram app. The malware’s structure now includes new modules: one for setting up LaunchDaemon (xmyyeqjx), another for Git-based persistence (jey), and a reworked information module that includes the clipboard hijacker (vexyeqj). It also uses a tool based on the open-source HackBrowserData project to extract Firefox data.
XCSSET targets Xcode projects—files used by developers to create macOS applications. While distribution methods are not fully known, sharing infected Xcode projects is believed to be the main route. Microsoft previously noted enhancements in XCSSET’s error handling and the use of multiple techniques to remain on a compromised host.
To reduce risk from XCSSET, experts recommend keeping operating systems up to date, carefully reviewing Xcode projects from third parties, and exercising care when copying sensitive cryptocurrency information.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Amazon to Pay $2.5B in FTC Settlement, 35M Prime Users Refunded
- Trump-Linked DeFi Project WLFI Launches Token Buyback After 41% Drop
- 7 Best Cryptocurrency Lending Platforms in 2025 (Ranked & Reviewed)
- XRP Eyes $5 Amid ETF Buzz, Despite Price Dip to $2 Range
- China Launches International Hub for Digital Yuan in Shanghai
