XCSSET evolves again: Analyzing the latest updates to XCSSET's inventory
Essential information
- Published
- 25/09/2025 16:27
- Modified
- 25/09/2025 19:06
- Tags
- 2025-09-25 applescript browser-targeting clipboard hijacking firefox launchdaemon macos persistence xcode xcsset
- Related entities
- 31 observables, 7 techniques (mitre)
Description
A new variant of the XCSSET malware, designed to infect Xcode projects, has been identified with key changes in browser targeting, clipboard hijacking, and persistence mechanisms. This variant employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data. It also adds another persistence mechanism through LaunchDaemon entries. The malware features a submodule for monitoring the clipboard and substituting wallet addresses. The infection chain consists of four stages, with modifications to the boot function and introduction of new modules. Changes include additional checks for Firefox browser, modified logic for Telegram existence check, and new info-stealer modules targeting Firefox data.