{
	"id": "dd5ec684-cf5e-4188-b815-a86c1a91992c",
	"created_at": "2026-04-06T00:19:02.524043Z",
	"updated_at": "2026-04-10T03:24:29.164132Z",
	"deleted_at": null,
	"sha1_hash": "a2984730dd8e6ceaad99b070422c25b04f280692",
	"title": "Updated XCSSET Malware Targets Telegram, Other Apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2792883,
	"plain_text": "Updated XCSSET Malware Targets Telegram, Other Apps\r\nBy Mickey Jin, Steven Du ( words)\r\nPublished: 2021-07-22 · Archived: 2026-04-05 23:36:19 UTC\r\nMalware\r\nIn our last update on the XCSSET campaign, we updated some of its features targeting latest macOS 11 (Big Sur). Since\r\nthen, the campaign added more features to its toolset, which we have continually monitored. We have also discovered the\r\nmechanism used to steal information from various apps, a behavior that has been present since we first discussed XCSSET.\r\nBy: Mickey Jin, Steven Du Jul 22, 2021 Read time: 5 min (1218 words)\r\nSave to Folio\r\nIn our last update on the XCSSET campaign, we updated some of its features targeting latest macOS 11 (Big Sur). Since\r\nthen, the campaign added more features to its toolset, which we have continually monitored. We have also discovered the\r\nmechanism used to steal information from various apps, a behavior that has been present since we first discussed XCSSET.\r\nHow XCSSET Malware Steals Information\r\nFrom the first version of XCSSET, we noticed that it collects some data from various apps and sends these back to its\r\ncommand-and-control (C\u0026C) server. However, we did not know how the threat actor would use the data. We recently found\r\nthe mechanism used to steal the data, and learned that it contains valuable and sensitive information that can be used for\r\nvarious purposes.\r\nTake the malicious AppleScript file “telegram.applescript” as an example. As the name implies, Telegram is the target app in\r\nthis case. Its main logic is compressing the folder “~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram” into\r\na .ZIP file, and uploading the said file to a C\u0026C server.\r\nFigure 1. Code of telegram.applescript\r\nTo find the purpose of collecting the folder, we performed a simple test using two Mac machines:\r\n1. Install Telegram on both machine A and B./li\u003e\r\n2. On machine A, log in with a valid Telegram account. Do nothing using Telegram on machine B./li\u003e\r\n3. Copy “~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram” folder from machine A to machine B,\r\nand replace the existing folder.\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 1 of 10\n\n4. Run Telegram on machine B. When this is done, it is already logged in with the same account used on machine A.\r\nOn macOS, the Application sandbox directory ~/Library/Containers/com.xxx.xxx and ~/Library/Group\r\nContainers/com.xxx.xxx can be accessed (with READ/WRITE permissions) by common users. This differs from the practice\r\non iOS. Not all executable files are sandboxed on macOS, which means a simple script can steal all the data stored in the\r\nsandbox directory. We recommend that application developers refrain from storing sensitive data in the sandbox directory,\r\nparticularly those related to login information. \r\nSensitive data targeted by XCSSET\r\nXCSSET malware has stolen lots of critical privacy data of these applications, with most of them these stored in their\r\nsandbox directories. Here, we’ll show how it is done in Chrome.\r\nIn Chrome, the stolen data includes any passwords stored by the user to dump the data, XCSSET needs to get the\r\nsafe_storage_key using the command security find- generic-password -wa ‘Chrome’ . However, this command requires root\r\nprivileges. To get around this requirement, the malware puts all the operations that need root privilege together in a single\r\nfunction, as seen in Figure 2:\r\nFigure 2. Operations requiring administrator privilege\r\nThe user is then prompted to grant these privileges via a fake dialog box.\r\nOnce it has obtained the Chrome safe_storage_key, it decrypts all the sensitive data and uploads it to the C\u0026C server. \r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 2 of 10\n\nFigure 3. Information stealing code targeting Google Chrome\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 3 of 10\n\nFigure 4. Information stealing code targeting Google Chrome\r\nSimilar scripts can be found targeting the following applications:\r\nContacts\r\nEvernote\r\nNotes\r\nOpera\r\nSkype\r\nWeChat\r\nNew C\u0026C Domains\r\nFrom April 20 to 22, 2021, some new domain names appeared, all of them resolve to the IP address 94.130.27.189, which\r\nXCSSET also used before.\r\natecasec.com\r\nlinebrand.xyz\r\nmantrucks.xyz\r\nmonotal.xyz\r\nnodeline.xyz\r\nsidelink.xyz\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 4 of 10\n\nSimilarly, the domain name below now resolves from a non-malicious IP address to 94.130.27.189.\r\nicloudserv.com\r\nAll these new domain names have an HTTPS certificate from “Let’s Encrypt,” which is valid from April 22 to July 21, 2021.\r\nFigure 5. HTTPS certificate for C\u0026C servers\r\nFrom April 22, 2021, onwards, all C\u0026C domain names resolved to 194.87.186.66. On May 1, a new domain name (irc-nbg.v001.com) was resolved to the original C\u0026C IP address 94.130.27.189. This new domain name suggests an IRC server\r\nis now located at the said IP address, which does not appear to be currently related to XCSSET.\r\nFrom June 9 to 10, 2021, all existing domain names related to XCSSET C\u0026C servers were removed, Instead, the following\r\nnew domain names were added:\r\natecasec.info\r\ndatasomatic.ru\r\nicloudserv.ru\r\nlucidapps.info\r\nrelativedata.ru\r\nrevokecert.ru\r\nsafariperks.ru\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 5 of 10\n\nHowever, on June 24, these servers were taken offline by the attackers. Currently, we have been unable to locate the new\r\nservers of XCSSET.\r\nOther Behavior Changes\r\nBootstrap.applescript\r\nIn bootstrap.applescript, the first noteworthy change is the use of the latest C\u0026C domains:\r\nFigure 6. C\u0026C domains used\r\nNote that aside from the available domain names, the IP address is also part of the list. Even if all the domains get suddenly\r\nshut down in the future, the C\u0026C server still can be reached via IP address.\r\nFigure 7. Modules in use\r\nA new module, “canary,” is added to perform XSS injection on the Chrome Canary browser from Google, which is an\r\nexperimental version of the Chrome browser.\r\nFigure 8. Modules in use, showing removed module\r\nCompared to the last version, the calling for “screen_sim” is removed.\r\nReplicator.applescript\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 6 of 10\n\nAs the first step of infecting local Xcode projects, from the last version, they changed the injected build phrase or build\r\nrule’s ID from a hardcoded ID to a randomly generated ID; however, the last six characters of the ID is still hardcoded as\r\n“AAC43A”. In the latest version, the hardcoded postfix changed to “6D902C”.\r\nFigure 9. Changed postfix\r\nRegarding the logic of the script in injecting fake build phase and build rule: Previously, it called a malicious Mach-O file\r\nlocated in a hidden folder in the infected Xcode project. Now, it calls the curl command to download a shell script named\r\n“a” from the C\u0026C server and passes its contents to “sh” to execute it. This way, any new infected Xcode projects from the\r\nlatest version will not contain additional malicious files.\r\nFigure 10. Code for downloading and running the shellcode\r\nHere are the contents of the shell script file downloaded from the C\u0026C server. It downloads the landing Mach-O component\r\nPods from the C\u0026C server, saves it as /tmp/exec.$$, adds an executable flag, and executes it.\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 7 of 10\n\nFigure 11. Downloaded code\r\nSame as before, the Mach-O file, “Pods,” is generated by the SHC tool. The primary logic of the shell script extracted from\r\nit is quite similar to the one used before. The following screenshots list some of the notable changes.\r\nFigure 12. The working folder changed from “GemeKit” to “GeoServices”\r\nFigure 13. The fake app’s name changed from Xcode.app to Mail.app\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 8 of 10\n\nFigure 14. Temp files are created for debugging\r\nDefending against XCSSET\r\nThe changes we’ve encountered in XCSSET do not reflect a fundamental change in its behavior but do constitute\r\nrefinements in its tactics. The discovery of how it can steal information from various apps highlights the degree to which the\r\nmalware aggressively attempts to steal various kinds of information from affected systems.\r\nTo protect systems from this type of threat, users should only download apps from official and legitimate marketplaces.\r\nUsers can also consider multilayered security solutions such as Trend Micro Maximum Securityproducts, which provides\r\ncomprehensive security and multidevice protection against cyberthreats.\r\nEnterprises can take advantage of Trend Micro’s Smart Protection Suitesproducts with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity or\r\nendpoint.\r\nIndicators of Compromise\r\nFile Name SHA256\r\nTrend Micro Detection\r\nName\r\nbootstrap.applescript f453e8ae426133ace544cd4bb1ab2435620a8d4d5f70b936d8f3118e22f254e8 Trojan.macOS.XCSSET.\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 9 of 10\n\nreplicator.applescript 7a51fd3080ee5f65c9127603683718a3fd4f3e0b13de6141824908a6d3d4b558 Trojan.macOS.XCSSET.\r\nPods bbcc8a101ae0e7fc546dab235387b0bf7461e097578fedcb25c4195bc973f895 Trojan.macOS.XCSSET.\r\na d8f14247ef18edaaae2c20dee975cd98a914b47548105cfbd30febefe2fa2a6b Trojan.macOS.XCSSET.\r\nC\u0026C Servers\r\n194.87.186.66\r\natecasec.info\r\ndatasomatic.ru\r\nicloudserv.ru\r\nlucidapps.info\r\nrelativedata.ru\r\nrevokecert.ru\r\nsafariperks.ru\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nhttps://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html"
	],
	"report_names": [
		"updated-xcsset-malware-targets-telegram--other-apps.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434742,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2984730dd8e6ceaad99b070422c25b04f280692.pdf",
		"text": "https://archive.orkl.eu/a2984730dd8e6ceaad99b070422c25b04f280692.txt",
		"img": "https://archive.orkl.eu/a2984730dd8e6ceaad99b070422c25b04f280692.jpg"
	}
}