Skip to main content
  1. Home
  2. Computing
  3. News

Updated macOS malware variant uncovered by Microsoft

Add as a preferred source on Google
A person using a laptop with a set of code seen on the display.
Sora Shimazaki / Pexels

Microsoft has observed a previously dormant macOS malware that has become active once again in a new variant that is targeting Apple devices of all kinds.

Microsoft Threat Intelligence shared information about the malware in a post on X, indicating that it is a new version of XCSSET that originated in 2022. The security experts explained that the updated malware has “enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.”

Recommended Videos

Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information… pic.twitter.com/oWfsIKxBzB

— Microsoft Threat Intelligence (@MsftSecIntel) February 17, 2025

TechRadar noted that the XCSSET malware is essentially an infostealer, with the ability to attack digital wallets, gather data from the Apple Notes app, and collect system information and files.

The malware is particularly dangerous because it uses infected projects in Apple’s Xcode platform to infiltrate devices. Xcode is the official integrated development environment (IDE) Apple provides for app creation for its various operating systems, including macOS, iOS, iPadOS, watchOS, and tvOS. The environment includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps, the publication added.

As said, the updated XCSSET variant includes processes, allowing the malware to better obscure itself within Xcode. To do so, it uses two techniques, called “zshrc” and “dock”. The first attack allows the malware to create a file, ~/.zshrc_aliases, which holds the infected data. Then it adds a command in the ~/.zshrc file, which will prompt the infected file to launch every time a new shell session is initiated. This will ensure the malware will continue to spread with additional shell sessions.

With the second attack, the malware downloads “a signed dockutil tool from a command-and-control server to manage the dock items, ” Microsoft explained. After this, it creates a fake Launchpad app to replace the path entry for the actual Launchpad app on the device dock. When a user runs Launchpad on an infected device, the actual Launchpad app and the malware version will both execute, effectively spreading XCSSET.

Microsoft Threat Intelligence explained it has only seen the new malware variant “in limited attacks,” it is sharing information about the threat so users and organizations can take precautionary measures.

Fionna Agomuoh
Fionna Agomuoh is a Computing Writer at Digital Trends. She covers a range of topics in the computing space, including…
I let Radial menu take over my Mac, and I’m never going back
One mouse jiggle, endless shortcuts. My Mac has never felt this fast.
Radial app running on Mac

I have been testing Radial for the past week, and it's quickly become one of those apps I didn’t know how I could live without. It's a radial menu for macOS that puts your shortcuts, scripts, and automations right where your cursor is, so you never have to go hunting through menus to find what you need.

The app just received its 5.0 update, adding AI actions powered by Claude, window layouts, variables, a redesigned settings interface, a new Atmosphere background effect, and a squircle menu shape. I got to try most of these, and here's what I found.

Read more
Android desktop mode made me miss my laptop in record time
I tried writing and publishing from Google’s phone-to-monitor setup, and the future of mobile computing immediately started sweating.
Computer, Electronics, Laptop

Android 17 desktop mode has a very simple pitch. Plug your phone into a monitor, add a keyboard and mouse, and watch the slab in your pocket pretend to be a computer. I wanted to give that pitch a fair shot, so I tried using it for an actual workday instead of a cute demo.

The goal was boring on purpose: write an article, edit it, build the page in WordPress, upload whatever needed uploading, and publish the thing without running back to my laptop like a coward.

Read more
As AI turbocharges digital abuse, UK agencies urge parents to limit who sees kids’ photos online
The National Crime Agency and Internet Watch Foundation are asking parents to tighten privacy settings as AI-generated abuse material rises.
Social Media

Parents who post pictures of their kids online are being told to rethink the habit. The UK's National Crime Agency and the Internet Watch Foundation have issued new guidance urging families to lock down their social media accounts, warning that publicly shared photos are increasingly being pulled and altered by AI tools to create child sexual abuse material.

The two organizations say most parents have no idea this is happening. Criminals no longer need to contact a child directly to generate such material. They can scrape an ordinary photo and run it through widely available nudify apps.

Read more