Enhanced Stealth for macOS Malware Swapping Bitcoin Addresses

Microsoft Threat Intelligence experts have identified a new variant of the XCSSET malware targeting macOS devices, capable of swapping cryptocurrency wallets. The malware spreads through infected projects in the XCode development environment.

Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information… pic.twitter.com/oWfsIKxBzB

— Microsoft Threat Intelligence (@MsftSecIntel) February 17, 2025

The updated version features enhanced obfuscation techniques, additional persistence mechanisms, and infection strategies.

Specifically, to evade detection, the new XCSSET variant employs a more randomized approach to generating payloads for infecting XCode projects.

“While older variants used only xxd for encoding, the latest also includes Base64. At the code level, module names are obfuscated, making it difficult to determine the modules’ intentions,” experts reported.

The malware was first discovered in 2020. Its functions include taking screenshots, recording user actions, stealing information from Telegram accounts, data from the Notes app, as well as system information and files.

Additionally, XCSSET can alter and swap cryptocurrency addresses across various networks.

Microsoft noted that the updated malware variant has so far been used only in “limited attacks.” Nonetheless, the company deemed it necessary to alert organizations to prevent potential threats.

Developers are advised to thoroughly check any downloaded XCode projects and install applications only from trusted sources.

Earlier, ForkLog reported that researchers discovered a crypto key stealer in a Steam game.