A sophisticated new variant of the XCSSET malware is targeting macOS developers through infected Xcode projects, introducing dangerous clipboard hijacking capabilities designed to steal cryptocurrency wallet addresses, Microsoft Threat Intelligence researchers warned.
The malware specifically targets software developers building Apple and macOS applications, spreading through shared project files. When developers build infected Xcode projects, the malware silently activates and begins monitoring clipboard activity for cryptocurrency transactions.
The latest XCSSET variant employs a particularly insidious attack method: it monitors clipboard content and automatically replaces copied cryptocurrency wallet addresses with attacker-controlled addresses. The malware downloads configuration files containing regex patterns for various digital wallets, then substitutes legitimate addresses with predetermined ones belonging to cybercriminals.
"This variant features a submodule designed to monitor the clipboard and references a downloaded configuration file containing address regex patterns associated with various digital wallets," Microsoft researchers explained.
The malware uses sophisticated evasion techniques, including run-only compiled AppleScripts for stealthy execution and AES encryption to communicate with command-and-control servers. It has also expanded beyond Chrome and Safari to target Firefox browser data, stealing passwords, browsing history, and credit card information.
XCSSET's evolution represents a concerning trend in supply chain attacks targeting the developer ecosystem. By infecting development tools, the malware can potentially spread to end-user applications, creating a multiplier effect for cybercriminal operations.
The malware establishes multiple persistence mechanisms, including LaunchDaemon entries that survive system reboots and git-based persistence that embeds itself into version control workflows.
Developers should immediately inspect and verify any Xcode projects downloaded from repositories before building them. Microsoft recommends keeping operating systems updated, deploying security patches promptly, and exercising extreme caution when copying sensitive data like wallet addresses.
Microsoft Defender for Endpoint on Mac can detect and quarantine this threat, while Microsoft Defender SmartScreen helps block associated malicious websites across platforms.