Infographic on XCSSET malware variant: macOS Xcode project icon with infection chain (4 stages), clipboard module showing wallet address replacement (e.g., regex match to attacker address), Firefox browser data extraction via HackBrowserData, LaunchDaemon

Microsoft Threat Intelligence detected a new XCSSET malware variant targeting macOS developers via infected Xcode projects, which propagate through shared files in Apple app builds. This evolution adds Firefox data theft, advanced clipboard hijacking for crypto wallet swaps, and LaunchDaemon persistence. Using AES encryption, obfuscated AppleScripts, and exfiltration of passwords, history, cards, and cookies, it threatens the software supply chain.

Infographic on XCSSET malware variant: macOS Xcode project icon with infection chain (4 stages), clipboard module showing wallet address replacement (e.g., regex match to attacker address), Firefox browser data extraction via HackBrowserData, LaunchDaemonInfographic on XCSSET malware variant: macOS Xcode project icon with infection chain (4 stages), clipboard module showing wallet address replacement (e.g., regex match to attacker address), Firefox browser data extraction via HackBrowserData, LaunchDaemon

The four-stage infection ends with modules like vexyeqj's "bnk" AppleScript, which monitors clipboards for wallet patterns, verifies apps and changes, then substitutes addresses with attacker ones. Iewmilh_cdyd steals Firefox data via modified HackBrowserData, compressing and chunking it to C2 servers. Other parts include neq_cdyd_ilvcmwx for file theft, xmyyeqjx for fake "com.google." LaunchDaemons that disable macOS updates, and jey for stealthy Git persistence.

Infographic on XCSSET malware variant: macOS Xcode project icon with infection chain (4 stages), clipboard module showing wallet address replacement (e.g., regex match to attacker address), Firefox browser data extraction via HackBrowserData, LaunchDaemonInfographic on XCSSET malware variant: macOS Xcode project icon with infection chain (4 stages), clipboard module showing wallet address replacement (e.g., regex match to attacker address), Firefox browser data extraction via HackBrowserData, LaunchDaemon

Mitigate by updating macOS/apps, vetting external Xcode files, and protecting crypto clipboard data. Microsoft suggests Edge's SmartScreen, Defender for Endpoint on Mac with cloud protection/sample submission, and network blocks on malicious domains. This variant highlights XCSSET's adaptations, urging developer vigilance.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security