Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

XCSSET macOS malware new variant with clipboard hijacking and persistence

Malware Activity
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

A new XCSSET macOS malware variant has been observed in limited attacks against Xcode projects used by developers. It expands browser data theft, including Firefox, and uses clipboard hijacking to replace cryptocurrency wallet or payment addresses. The variant also strengthens persistence on macOS with LaunchDaemon-based mechanisms and additional stealth features such as run-only compiled AppleScripts, encryption, obfuscation, and a fake System Settings.app lure. The activity increases the risk of credential theft, browser-data theft, and cryptocurrency diversion on infected systems.

Related Happenings

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Open Happening

Timeline

  1. 26.09.2025 12:09 2 articles · 8mo ago

    Updated XCSSET macOS malware variant is disclosed

    Initial Disclosure

    Microsoft Threat Intelligence disclosed an updated XCSSET macOS malware variant that was observed in limited attacks against Xcode projects used by software developers. The variant adds Firefox browser data theft, clipboard hijacking that replaces cryptocurrency wallet addresses, and a new LaunchDaemon persistence mechanism, while also using run-only compiled AppleScripts, encryption, and obfuscation to help stealthy execution.

    Show sources
    Open in new tab
  2. 26.09.2025 01:49 2 articles · 8mo ago

    Microsoft details new XCSSET macOS variant

    Technical Analysis Update

    Microsoft Threat Intelligence reports a new XCSSET macOS malware variant seen in limited attacks against Xcode projects used by macOS developers. The variant adds Firefox data theft through a modified HackBrowserData build, clipboard hijacking that swaps cryptocurrency addresses, and stronger persistence using LaunchDaemon entries and a fake System Settings.app in /tmp. Microsoft also shared findings with Apple and is working with GitHub to remove associated repositories.

    Show sources
    Open in new tab