Microsoft Threat Intelligence has uncovered an evolved version of the XCSSET malware family, which is actively exploiting macOS developers through weaponized Xcode projects. First identified in 2020, this modular backdoor has since undergone significant updates, including advanced obfuscation techniques, improved persistence mechanisms, and new infection vectors designed to bypass Apple’s security frameworks. The 2024 variant introduces multi-layered encoding strategies, such as randomizing encoding algorithms between Base64 and xxd hexdump, disrupting signature-based detection methods. These updates make the malware more resilient against static analysis and complicate reverse-engineering efforts, as each payload iteration generates distinct cryptographic fingerprints.
The malware’s infection strategies now include disguising the primary executable inside counterfeit applications, like Notes.app, placed in non-standard Library subdirectories. This tactic exploits macOS’s trust in these system-adjacent directories, bypassing Gatekeeper checks and ensuring the payload can run unnoticed. Additionally, XCSSET establishes persistence through two primary methods: appending malicious commands to the user’s ~/.zshrc file to trigger payload reactivation upon terminal initiation and manipulating the Dock API to execute the payload whenever the user interacts with the Dock, maintaining the appearance of normal system behavior.
XCSSET’s infection of Xcode projects relies on a set of sophisticated techniques that enable supply chain attacks.
These include TARGET Injection, which modifies build settings to trigger malicious scripts during compilation, and RULE Exploitation, where build rules are injected to deploy the payload before binaries are linked. The malware also uses FORCED_STRATEGY Payloads to overwrite project files and introduce hidden malware, which can be distributed through repositories like GitHub or CocoaPods. As developers unknowingly share infected projects, downstream applications may be compromised, expanding the reach of the attack.
Microsoft recommends that organizations enforce code-signing verification for all Xcode dependencies and carefully monitor for unauthorized SSH key generation in project files. To detect XCSSET activity, organizations should look for anomalous AppleScript compilation events and unexpected network traffic to newly registered command-and-control domains. Given XCSSET’s ability to exploit macOS’s scripting environments and evade traditional defenses, Microsoft also advises developers to enable tamper protection in Defender for Endpoint to block unauthorized injection attempts targeting applications like Xcode or Safari. The ongoing evolution of XCSSET underscores the importance of advanced runtime protections alongside static analysis tools in safeguarding macOS environments.
