Microsoft researchers say the long-running XCSSET malware has resurfaced with a new arsenal of tricks aimed at stealing data, persisting on devices, and hijacking cryptocurrency transactions. The evolved variant shows how attackers continue to adapt malware that has already plagued Apple’s ecosystem for years.
Four Stages, New Tricks
The updated strain sticks to its established four-stage infection chain but refreshes its final stage with several new modules. The most notable change is that the XCSSET malware can now target Firefox users, not just Chrome. Attackers built a custom info-stealer that pulls passwords, cookies, history, and even stored credit card details from Mozilla’s browser.
That expansion widens the pool of potential victims. While Chrome dominates, Firefox still has tens of millions of users — many of them developers or security-conscious users who may not expect malware to zero in on their browser of choice.
The malware also steps up its persistence game. A new LaunchDaemon-based method plants a hidden file in user directories and disguises itself with fake “System Settings” apps. It even disables macOS software updates and Apple’s Rapid Security Response patches, a move designed to keep infected systems vulnerable for longer.
Clipboards Under Attack, Crypto Users Beware
Another upgrade hits crypto users where it hurts. The malware now monitors the clipboard for wallet addresses. If it sees a victim copy-pasting an address, it can swap in the attacker’s address instead — silently redirecting funds during a transfer.
Clipboard hijacking is not new in the malware world, but seeing it baked into a macOS campaign is something worth taking notes. For casual crypto users who rely on copy-paste transactions, the feature is a direct pipeline to theft.
Social Engineering Still the Entry Point
XCSSET’s initial delivery mechanism hasn’t changed. Its still Xcode projects. Developers who download or clone poisoned repositories risk running malicious code that pulls down the first-stage payload. From there, the four-stage chain unfolds.
It’s a clever distribution strategy because developers often share projects widely, and infected code can spread silently through Git repositories. The tactic also blurs the line between trusted and malicious software, making traditional defenses less effective.
Stage two builds persistence. Here, the malware modifies local project settings and environment variables, ensuring the infection survives project reloads and spreads if the tainted project is shared with others. At this point, the victim may not notice anything unusual — the developer workflow continues as normal.
Stage three is about escalation and reconnaissance. The malware retrieves additional scripts that probe the system for valuable data points: OS version, hardware details, active processes, and browsing profiles. It also establishes connections back to the command-and-control (C2) server, signaling that the machine is ready for more targeted payloads.
Only after these three stages does the fourth-stage boot script deploy the heavier modules — the part of XCSSET that Microsoft says has evolved most significantly.
A Malware That Keeps Adapting
Patrick Wardle, founder of Objective-See Foundation and author of the “The Art of Mac Malware” book series called XCSSET the most “insidious” Apple operating system malware. “XCSSET is one of the more insidious macOS malware specimens out and about right now,” he said.
XCSSET isn’t new. First documented in 2020, it has continually resurfaced with tweaks that help it evade detection and broaden its reach. The new variant doubles down on obfuscation, modular design, and reliance on AppleScript to execute commands. Those changes make the malware harder to analyze and give attackers flexibility to swap in or update modules as needed.
“The malware’s architecture allows it to adapt quickly to defender responses,” Microsoft’s Threat Intelligence team wrote. “Each new module represents another layer of capability attackers can deploy on demand.”
