CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Timeline

  1. 26.09.2025 01:49 2 articles · 4d ago

    New XCSSET macOS Malware Variant Targets Xcode Developers

    The new variant of the XCSSET macOS malware has been observed in limited attacks. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware includes a clipper sub-module that monitors clipboard content for cryptocurrency wallet addresses. It also includes extra checks for the Mozilla Firefox browser and altered logic to determine the presence of the Telegram messaging app. The malware employs a boot() function for launching various sub-modules and includes a modified version of the HackBrowserData tool to steal Firefox data.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

New Obscura Ransomware Variant Encrypts Networks

A new ransomware variant named Obscura was discovered on August 29, 2025. It was found on multiple hosts within a victim organization, including the domain controller. The ransomware, written in Go, leverages the NETLOGON folder for propagation and targets specific processes and system configurations to maximize impact. The ransom note demands payment within 240 hours to prevent data leaks. The ransomware is notable for its use of advanced cryptography, system reconnaissance, and aggressive process termination. It also includes a filtering mechanism to avoid encrypting system-critical files while targeting user data. The ransomware was first detected by Huntress analysts, who observed its deployment across the network. The initial access vector remains unknown due to limited visibility.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

New YiBackdoor Malware with Code Overlaps to IcedID and Latrodectus

A new malware family, YiBackdoor, has been identified. It shares significant code overlaps with IcedID and Latrodectus. YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins. It may be used in conjunction with Latrodectus and IcedID during attacks. YiBackdoor was first detected in June 2025 and is likely under development or testing. YiBackdoor features rudimentary anti-analysis techniques and uses the Windows Run registry key for persistence. It injects its core functionality into the svchost.exe process. The malware's command-and-control (C2) server is extracted from an embedded encrypted configuration, and it supports various commands for system manipulation and plugin management. The malware's limited deployment suggests it is still in development or testing phases.

Open in new tab

Stripe iframe skimmer campaign exploits payment iframes

A sophisticated skimmer campaign targeting Stripe payment iframes has compromised 49 merchants. Attackers use malicious overlays to bypass security policies and steal credit card data. The campaign exploits vulnerabilities in the host page, highlighting the risks of third-party scripts and outdated security measures. The attack leverages deprecated APIs and injects malicious JavaScript through platforms like WordPress. It demonstrates the need for real-time monitoring and updated security policies to protect payment iframes. The campaign underscores the importance of securing the entire payment page, as mandated by PCI DSS 4.0.1. Organizations must implement strict CSP, advanced iframe monitoring, and secure postMessage handling to mitigate these risks.

Open in new tab

ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS Attacks

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website.

Open in new tab