{
	"id": "0e3b5f7a-7ab3-4fb3-8dc8-a4cf9de26064",
	"created_at": "2026-04-06T00:19:15.275463Z",
	"updated_at": "2026-04-10T13:11:43.718511Z",
	"deleted_at": null,
	"sha1_hash": "fd046e1ae9c1698477f292c56b959fabbbb62743",
	"title": "XLoader's Latest Trick | New macOS Variant Disguised as Signed OfficeNote App",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3810066,
	"plain_text": "XLoader's Latest Trick | New macOS Variant Disguised as Signed\r\nOfficeNote App\r\nBy Dinesh Devadoss \u0026 Phil Stokes\r\nPublished: 2023-08-21 · Archived: 2026-04-05 14:22:55 UTC\r\nXLoader is a long-running malware-as-a-service infostealer and botnet that has been around in some form or\r\nanother since 2015. Its first macOS variant was spotted in 2021 and was notable for being distributed as a Java\r\nprogram. As we noted at the time, the Java Runtime Environment hasn’t shipped by default on macOS since the\r\ndays of Snow Leopard, meaning the malware was limited in its targeting to environments where Java had been\r\noptionally installed.\r\nNow, however, XLoader has returned in a new form and without the dependencies. Written natively in the C and\r\nObjective C programming languages and signed with an Apple developer signature, XLoader is now\r\nmasquerading as an office productivity app called ‘OfficeNote’.\r\nIn this post, we examine how this new variant works and provide indicators for threat hunters and security teams.\r\nSentinelOne customers are automatically protected from this new variant of XLoader.\r\nXLoader Distribution\r\nThe new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg . The\r\napplication contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C) .\r\nhttps://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/\r\nPage 1 of 7\n\nThe application was signed on 17 July, 2023; however, Apple has since revoked the signature. Despite that, our\r\ntests indicate that Apple’s malware blocking tool, XProtect, does not have a signature to prevent execution of this\r\nmalware at the time of writing.\r\nOfficeNote’s revoked Apple Developer signature.\r\nMultiple submissions of this sample have appeared on VirusTotal throughout July, indicating that the malware has\r\nbeen widely distributed in the wild.\r\nXLoader submissions to VirusTotal July 2023\r\nAdvertisements on crimeware forums offer the Mac version for rental at $199/month or $299/3 months.\r\nInterestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and\r\n$129/3 months.\r\nXLoader Dropper and Persistence Module\r\nWhen executed, the OfficeNote application is hardcoded to throw an error message indicating that the application\r\nis non-functional. Meanwhile, the malware drops its payload and installs a persistence agent, behavior that is\r\nimmediately detected by the SentinelOne agent.\r\nhttps://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/\r\nPage 2 of 7\n\nXLoader is immediately detected as a threat by the SentinelOne agent\r\nThis error message is hardcoded using a stack string technique, typical of previous versions of XLoader.\r\nHardcoded error message constructed on the stack\r\nAt this point, however, the malware has already been busy dropping the payload and LaunchAgent. The payload is\r\ndeposited in the user’s home directory as ~/73a470tO and executed. It creates a hidden directory and constructs a\r\nbarebones minimal app within it, using a copy of itself for the main executable. Although the name of the payload\r\nis hardcoded into the dropper, the names of the hidden directory, app and executable are randomized on each\r\nexecution.\r\nhttps://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/\r\nPage 3 of 7\n\nExecution of OfficeNote and creation of a hidden application as seen in the SentinelOne console\r\nMeanwhile, a LaunchAgent is also dropped in the User’s Library folder. This agent is similar to that used in the\r\nprevious version of XLoader, providing a start value to the executable. This ensures that the binary can\r\ndistinguish between its first run and subsequent runs.\r\nXLoader LaunchAgent for persistence\r\nXLoader Payload Behavior\r\nAs in previous versions, the malware attempts to steal secrets from the user’s clipboard via the Apple API\r\nNSPasteboard and generalPasteboard . It targets both Chrome and Firefox browsers, reading the login.json\r\nfile located in ~/Library/Application Support/Firefox/Profiles for Firefox and ~/Library/Application\r\nSupport/Google/Chrome/Default/Login Data for Chrome. As with other infostealers we’ve observed recently,\r\nSafari is not targeted.\r\nXLoader uses a variety of dummy network calls to disguise the real C2. We observed 169 DNS name resolutions\r\nand 203 HTTP requests. Among the many contacted hosts the malware reaches out to are the following suspicious\r\nor malicious IP addresses.\r\n23[.]227.38[.]74\r\n62[.]72.14[.]220\r\nhttps://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/\r\nPage 4 of 7\n\n66[.]29.151[.]121\r\n104[.]21.26[.]182\r\n104[.]21.32[.]235\r\n104[.]21.34[.]62\r\n137[.]220.225[.]17\r\n142[.]251.163[.]121\r\nXLoader also attempts to evade analysis both manually and by automated solutions. Both the dropper and payload\r\nbinaries attempt to prevent debuggers attaching with ptrace’s PT_DENY_ATTACH ( 0x1f ).\r\nXLoader attempts to prevent analysts reverse engineering the malware\r\nOn execution, the malware executes sleep commands to delay behavior in the hope of fooling automated\r\nanalysis tools. The binaries are stripped and exhibit high entropy in an attempt to similarly thwart static analysis.\r\nThe XLoader binaries exhibit high entropy in the __text section\r\nConclusion\r\nXLoader continues to present a threat to macOS users and businesses. This latest iteration masquerading as an\r\noffice productivity application shows that the targets of interest are clearly users in a working environment. The\r\nmalware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further\r\ncompromise.\r\nIT and security teams are advised to deploy a trusted third party security solution to prevent and detect malware\r\nsuch as XLoader. To see how SentinelOne can help protect the macOS devices in your fleet, contact us or request\r\na free demo.\r\nIndicators of Compromise\r\nhttps://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/\r\nPage 5 of 7\n\nSHA1 Description\r\n26fd638334c9c1bd111c528745c10d00aa77249d Mach-O Payload\r\n47cacf7497c92aab6cded8e59d2104215d8fab86 Mach-O Dropper\r\n5946452d1537cf2a0e28c77fa278554ce631223c Disk Image\r\n958147ab54ee433ac57809b0e8fd94f811d523ba Mach-O Payload\r\nFilePaths\r\n~/73a470tO\r\nDeveloper ID\r\nMAIT JAKHU (54YDV8NU9C)\r\nNetwork Communications\r\n23[.]227.38[.]74\r\n62[.]72.14[.]220\r\n66[.]29.151[.]121\r\n104[.]21.26[.]182\r\n104[.]21.32[.]235\r\n104[.]21.34[.]62\r\n137[.]220.225[.]17\r\n142[.]251.163[.]121\r\nwww[.]activ-ketodietakjsy620[.]cloud\r\nwww[.]akrsnamchi[.]com\r\nwww[.]brioche-amsterdam[.]com\r\nwww[.]corkagenexus[.]com\r\nwww[.]growind[.]info\r\nwww[.]hatch[.]computer\r\nwww[.]kiavisa[.]com\r\nwww[.]lushespets[.]com\r\nwww[.]mommachic[.]com\r\nwww[.]nationalrecoveryllc[.]com\r\nwww[.]pinksugarpopmontana[.]com\r\nwww[.]qhsbobfv[.]top\r\nwww[.]qq9122[.]com\r\nwww[.]raveready[.]shop\r\nwww[.]spv88[.]online\r\nwww[.]switchmerge[.]com\r\nhttps://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/\r\nPage 6 of 7\n\nSource: https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/\r\nhttps://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/"
	],
	"report_names": [
		"xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app"
	],
	"threat_actors": [],
	"ts_created_at": 1775434755,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd046e1ae9c1698477f292c56b959fabbbb62743.pdf",
		"text": "https://archive.orkl.eu/fd046e1ae9c1698477f292c56b959fabbbb62743.txt",
		"img": "https://archive.orkl.eu/fd046e1ae9c1698477f292c56b959fabbbb62743.jpg"
	}
}