{ "id": "680e7a06-5cab-4d75-9185-c578f36e4b72", "created_at": "2026-04-06T00:07:22.537309Z", "updated_at": "2026-04-10T03:20:55.561645Z", "deleted_at": null, "sha1_hash": "ab7a876fb891606198f175b54de7dd017834fe74", "title": "XCSSET Mac Malware Infects Xcode Projects Uses 0Days", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45072, "plain_text": "XCSSET Mac Malware Infects Xcode Projects Uses 0Days\r\nPublished: 2020-08-13 · Archived: 2026-04-05 20:13:16 UTC\r\nWe have discovered an unusual infection related to Xcode developer projects. Upon further investigation, we discovered that\r\na developer’s Xcode project at large contained the source malware, which leads to a rabbit hole of malicious payloads. Most\r\nnotable in our investigation is the discovery of two zero-day exploits: one is used to steal cookies via a flaw in the behavior\r\nof Data Vaults, another is used to abuse the development version of Safari.\r\nThis scenario is quite unusual; in this case, malicious code is injected into local Xcode projects so that when the project is\r\nbuilt, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates since we have\r\nidentified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely\r\non these repositories as dependencies in their own projects. We have also identified this threat in sources such as VirusTotal,\r\nwhich indicates this threat is at large.\r\nThis blog will summarize the findings of this threat, while its accompanying technical brief contains the full details of this\r\nattack. We detected the entry threat as TrojanSpy.MacOS.XCSSET.A and its command and control (C\u0026C) related files as\r\nBackdoor.MacOS.XCSSET.A.\r\nThis threat primarily spreads via Xcode projects and maliciously modified applications created from the malware. It is not\r\nyet clear how the threat initially enters these systems. Presumably, these systems would be primarily used by developers.\r\nThese Xcode projects have been modified such that upon building, these projects would run a malicious code. This\r\neventually leads to the main XCSSET malware being dropped and run on the affected system. Infected users are also\r\nvulnerable to having their credentials, accounts, and other vital data stolen.\r\nOnce present on an affected system, XCSSET is capable of the following behavior:\r\nUsing exploits, it abuses the existing the Safari and other installed browsers to steal user data. In particular, it\r\nUses a vulnerability to read and dump Safari cookies\r\nUses the Safari development version to inject JavaScript backdoors onto websites via a Universal Cross-site Scripting\r\n(UXSS) attack\r\nIt steals information from the user’s Evernote, Notes, Skype, Telegram, QQ ,and WeChat apps\r\nIt takes screenshots of the user’s current screen\r\nIt uploads files from the affected machines to the attacker’s specified server\r\nIt encrypts files and shows a ransom note, if commanded by the server\r\nThe UXSS attack is theoretically capable of modifying almost every part of the user’s browser experience as arbitrary\r\nJavaScript-injected code. These modifications include:\r\nModifying displayed websites\r\nModifying /replacing Bitcoin/cryptocurrency addresses\r\nStealing amoCRM, Apple ID, Google, Paypal, SIPMarket, and Yandex credentials\r\nStealing credit card information from the Apple Store\r\nBlocking the user from changing passwords but also stealing newly modified passwords\r\nCapturing screenshots of certain accessed sites\r\nThe method of distribution used can only be described as clever. Affected developers will unwittingly distribute the\r\nmalicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/\r\nPage 1 of 3\n\n(such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.\r\nFurther details of this attack may be found in its related technical brief.\r\nTrend Micro Solutions\r\nTo protect systems from this type of threat, users should only download apps from official and legitimate marketplaces.\r\nUsers can also consider multilayered security solutions such as Trend Micro Antivirus for Macproducts, which provides\r\ncomprehensive security and multidevice protection against cyberthreats.\r\nEnterprises can take advantage of Trend Micro’s Smart Protection Suitesproducts with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity or\r\nendpoint.\r\nIndicators of Compromise\r\nSHA256 Filename Detection\r\n6fa938770e83ef2e177e8adf4a2ea3d2d5b26107c30f9d85c3d1a557db2aed41 main.scpt TrojanSpy.MacOS.XCSSET.A\r\n7e5343362fceeae3f44c7ca640571a1b148364c4ba296ab6f8d264fc2c62cb61 main.scpt TrojanSpy.MacOS.XCSSET.A\r\n857dc86528d0ec8f5938680e6f89d846541a41d62f71d003b74b0c55d645cda7 main.scpt TrojanSpy.MacOS.XCSSET.A\r\n6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6 xcassets TrojanSpy.MacOS.XCSSET.A\r\nac3467a04eeb552d92651af1187bdc795100ea77a7a1ac755b4681c654b54692 xcassets TrojanSpy.MacOS.XCSSET.A\r\nd11a549e6bc913c78673f4e142e577f372311404766be8a3153792de9f00f6c1 xcassets TrojanSpy.MacOS.XCSSET.A\r\n532837d19b6446a64cb8b199c9406fd46aa94c3fe41111a373426b9ce59f56f9 speedd Backdoor.MacOS.XCSSET.A\r\n4f78afd616bfefaa780771e69a71915e67ee6dbcdc1bc98587e219e120f3ea0d firefoxd Backdoor.MacOS.XCSSET.A\r\n819ba3c3ef77d00eae1afa8d2db055813190c3d133de2c2c837699a0988d6493 operad Backdoor.MacOS.XCSSET.A\r\n73f203b5e37cf34e51f7bf457b0db8e4d2524f81e41102da7a26f5590ab32cd9 yandexd Backdoor.MacOS.XCSSET.A\r\nccc2e6de03c0f3315b9e8e05967fcc791d063a392277f063980d3a1b39db2079 edged Backdoor.MacOS.XCSSET.A\r\n6622887a849b503b120cfef8cd76cd2631a5d0978116444a9cb92b1493e42c29 braved Backdoor.MacOS.XCSSET.A\r\n32fa0cdb46f204fc370c86c3e93fa01e5f5cb5a460407333c24dc79953206443 agentd Backdoor.MacOS.XCSSET.A\r\n924a89866ea55ee932dabb304f851187d97806ab60865a04ccd91a0d1b992246\r\nagentd-kill\r\nBackdoor.MacOS.XCSSET.A\r\naf3a2c0d14cc51cc8615da4d99f33110f95b7091111d20bdba40c91ef759b4d7 agentd-log Backdoor.MacOS.XCSSET.A\r\n534f453238cfc4bb13fda70ed2cda701f3fb52b5d81de9d8d00da74bc97ec7f6 dskwalp Trojan.MacOS.XCSSET.A\r\n172eb05a2f72cb89e38be3ac91fd13929ee536073d1fe576bc8b8d8d6ec6c262 chkdsk Trojan.MacOS.XCSSET.A\r\na238ed8a801e48300169afae7d27b5e49a946661ed91fab4f792e99243fbc28d Pods_shad Trojan.MacOS.XCSSET.A\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/\r\nPage 2 of 3\n\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-brows\r\ners-leverages-zero-day-exploits/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/" ], "report_names": [ "xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits" ], "threat_actors": [], "ts_created_at": 1775434042, "ts_updated_at": 1775791255, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ab7a876fb891606198f175b54de7dd017834fe74.pdf", "text": "https://archive.orkl.eu/ab7a876fb891606198f175b54de7dd017834fe74.txt", "img": "https://archive.orkl.eu/ab7a876fb891606198f175b54de7dd017834fe74.jpg" } }