Skip to main content
  1. Home
  2. Computing
  3. News

Updated macOS malware variant uncovered by Microsoft

By
A person using a laptop with a set of code seen on the display.
Sora Shimazaki / Pexels

Microsoft has observed a previously dormant macOS malware that has become active once again in a new variant that is targeting Apple devices of all kinds.

Microsoft Threat Intelligence shared information about the malware in a post on X, indicating that it is a new version of XCSSET that originated in 2022. The security experts explained that the updated malware has “enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.”

Recommended Videos

Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information… pic.twitter.com/oWfsIKxBzB

— Microsoft Threat Intelligence (@MsftSecIntel) February 17, 2025

TechRadar noted that the XCSSET malware is essentially an infostealer, with the ability to attack digital wallets, gather data from the Apple Notes app, and collect system information and files.

The malware is particularly dangerous because it uses infected projects in Apple’s Xcode platform to infiltrate devices. Xcode is the official integrated development environment (IDE) Apple provides for app creation for its various operating systems, including macOS, iOS, iPadOS, watchOS, and tvOS. The environment includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps, the publication added.

As said, the updated XCSSET variant includes processes, allowing the malware to better obscure itself within Xcode. To do so, it uses two techniques, called “zshrc” and “dock”. The first attack allows the malware to create a file, ~/.zshrc_aliases, which holds the infected data. Then it adds a command in the ~/.zshrc file, which will prompt the infected file to launch every time a new shell session is initiated. This will ensure the malware will continue to spread with additional shell sessions.

With the second attack, the malware downloads “a signed dockutil tool from a command-and-control server to manage the dock items, ” Microsoft explained. After this, it creates a fake Launchpad app to replace the path entry for the actual Launchpad app on the device dock. When a user runs Launchpad on an infected device, the actual Launchpad app and the malware version will both execute, effectively spreading XCSSET.

Microsoft Threat Intelligence explained it has only seen the new malware variant “in limited attacks,” it is sharing information about the threat so users and organizations can take precautionary measures.

Editors’ Recommendations

Topics
Fionna Agomuoh
Fionna Agomuoh
Computing Writer
Fionna Agomuoh is a Computing Writer at Digital Trends. She covers a range of topics in the computing space, including…
Microsoft is forced to halt the Windows 11 24H2 update on some PCs
The Surface Pro 11 on a white table in front of a window.

Microsoft’s recent Windows 11 24H2 update is off to a bumpy start. According to a report by Bleeping Computer, users are facing compatibility issues across various hardware and software configurations, prompting the company to temporarily block the update for some devices.

The affected systems include specific Asus laptop models and configurations involving software like Voicemeeter, Safe Exam Browser, and older versions of Easy Anti-Cheat, commonly used in gaming.

Read more
I found an app that fixes macOS Sequoia’s annoying pop-ups
macOS Sequoia being introduced by Apple's Craig Federighi at the Worldwide Developers Conference (WWDC) 2024.

Years ago, back when I used Windows Vista, I got so annoyed by the constant User Account Control (UAC) pop-ups asking for permission seemingly every time I did anything that I downloaded an app that could silence them for good. Perhaps not the most sensible thing to do from a security perspective -- OK, definitely not the most sensible thing to do -- but I was a desperate man. These days, I’m getting similar vibes from macOS Sequoia.

That’s because Apple’s latest operating system will nag you about permissions on a monthly basis for anything that records your screen. Granted, it’s not as frequent as what I’d get in Windows Vista -- and these prompts were actually weekly in the macOS Sequoia beta, which caused such a blowback from users that Apple changed the frequency -- but it still feels like it’s going to be a real pain for me and a lot of users. Sure, macOS Sequoia hasn’t actually been out long enough for me to be bugged by these alerts every month yet, but I don’t want to hang around until I start pulling my hair out. I need to take action now.

Read more
macOS Sequoia fixes a problem that’s bugged me for years
The iPhone Mirroring feature from macOS Sequoia being demonstrated at the Worldwide Developers Conference (WWDC) 2024.

Sometimes, people think it’s the big, headline features -- like Apple Intelligence -- that make an operating system great. But there’s one new feature in macOS Sequoia that shows the opposite is true -- that a collection of less glamorous, yet meaningful changes can have a much bigger impact.

I’m talking about Apple’s new iPhone Mirroring feature. Or rather, one particular element of iPhone Mirroring: its new drag-and-drop ability. Even in the few short days it’s been available, it’s managed to improve my daily workflow and fix an issue that’s been bugging me for years.

Read more