{"id":21314,"date":"2025-02-19T17:59:54","date_gmt":"2025-02-19T15:59:54","guid":{"rendered":"https:\/\/forklog.com\/en\/enhanced-stealth-for-macos-malware-swapping-bitcoin-addresses\/"},"modified":"2025-02-19T17:59:54","modified_gmt":"2025-02-19T15:59:54","slug":"enhanced-stealth-for-macos-malware-swapping-bitcoin-addresses","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/enhanced-stealth-for-macos-malware-swapping-bitcoin-addresses\/","title":{"rendered":"Enhanced Stealth for macOS Malware Swapping Bitcoin Addresses"},"content":{"rendered":"<p>Microsoft Threat Intelligence experts have identified a new variant of the XCSSET malware targeting macOS devices, capable of swapping cryptocurrency wallets. The malware spreads through infected projects in the XCode development environment.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we\u2019re only seeing this new XCSSET variant in limited attacks at this time, we\u2019re sharing this information\u2026 <a href=\"https:\/\/t.co\/oWfsIKxBzB\">pic.twitter.com\/oWfsIKxBzB<\/a><\/p>\n<p>\u2014 Microsoft Threat Intelligence (@MsftSecIntel) <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1891410993265123662?ref_src=twsrc%5Etfw\">February 17, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The updated version features enhanced <span data-descr=\"code obfuscation\" class=\"old_tooltip\">obfuscation<\/span> techniques, additional persistence mechanisms, and infection strategies.<\/p>\n<p>Specifically, to evade detection, the new XCSSET variant employs a more randomized approach to generating payloads for infecting XCode projects. <\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>\u201cWhile older variants used only <span data-descr=\"hexadecimal dump\" class=\"old_tooltip\">xxd<\/span> for encoding, the latest also includes Base64. At the code level, module names are obfuscated, making it difficult to determine the modules&#8217; intentions,\u201d experts reported. <\/cite><\/p><\/blockquote>\n<p>The malware was first discovered in 2020. Its functions include taking screenshots, recording user actions, stealing information from Telegram accounts, data from the Notes app, as well as system information and files.<\/p>\n<p>Additionally, XCSSET can alter and swap cryptocurrency addresses across various networks.<\/p>\n<p>Microsoft noted that the updated malware variant has so far been used only in \u201climited attacks.\u201d Nonetheless, the company deemed it necessary to alert organizations to prevent potential threats.<\/p>\n<p>Developers are advised to thoroughly check any downloaded XCode projects and install applications only from trusted sources.<\/p>\n<p>Earlier, ForkLog reported that researchers discovered a crypto key stealer in a Steam game.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Threat Intelligence experts have identified a new variant of the XCSSET malware targeting macOS devices, capable of swapping cryptocurrency wallets. The malware spreads through infected projects in the XCode development environment. Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":21313,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1112,44,57],"class_list":["post-21314","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-apple","tag-cybercrime","tag-wallets"],"aioseo_notices":[],"amp_enabled":true,"views":"12","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21314","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=21314"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21314\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/21313"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=21314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=21314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=21314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}