Skip to content

S0658 XCSSET

XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.132

Item Value
ID S0658
Associated Names OSX.DubRobber
Type MALWARE
Version 1.3
Created 05 October 2021
Last Modified 04 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
OSX.DubRobber 4

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.006 TCC Manipulation For several modules, XCSSET attempts to access or list the contents of user folders such as Desktop, Downloads, and Documents. If the folder does not exist or access is denied, it enters a loop where it resets the TCC database and retries access.2
enterprise T1087 Account Discovery XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.1
enterprise T1098 Account Manipulation -
enterprise T1098.004 SSH Authorized Keys XCSSET will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. XCSSET will upload a private key file to the server to remotely access the host without a password.1
enterprise T1560 Archive Collected Data XCSSET will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell XCSSET uses a shell script to execute Mach-o files and osacompile commands such as, osacompile -x -o xcode.app main.applescript.1
enterprise T1554 Compromise Host Software Binary XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.004 Launch Daemon XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.1
enterprise T1486 Data Encrypted for Impact XCSSET performs AES-CBC encryption on files under ~/Documents, ~/Downloads, and
~/Desktop with a fixed key and renames files to give them a .enc extension. Only files with sizes
less than 500MB are encrypted.1
enterprise T1005 Data from Local System XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography XCSSET uses RC4 encryption over TCP to communicate with its C2 server.1
enterprise T1546 Event Triggered Execution XCSSET’s dfhsebxzod module searches for .xcodeproj directories within the user’s home folder and subdirectories. For each match, it locates the corresponding project.pbxproj file and embeds an encoded payload into a build rule, target configuration, or project setting. The payload is later executed during the build process.23
enterprise T1546.004 Unix Shell Configuration Modification Using AppleScript, XCSSET adds it’s executable to the user’s ~/.zshrc_aliases file ("echo " & payload & " > ~/zshrc_aliases"), it then adds a line to the .zshrc file to source the .zshrc_aliases file ([ -f $HOME/.zshrc_aliases ] && . $HOME/.zshrc_aliases). Each time the user starts a new zsh terminal session, the .zshrc file executes the .zshrc_aliases file.2
enterprise T1041 Exfiltration Over C2 Channel XCSSET retrieves files that match the pattern defined in the INAME_QUERY variable within the user’s home directory, such as *test.txt, and are below a specific size limit. It then archives the files and exfiltrates the data over its C2 channel.12
enterprise T1068 Exploitation for Privilege Escalation XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.1
enterprise T1083 File and Directory Discovery XCSSET has used mdfind to enumerate a list of apps known to grant screen sharing permissions and leverages a module to run the command ls -la ~/Desktop.52
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification XCSSET uses the chmod +x command to grant executable permissions to the malicious file.6
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories XCSSET uses a hidden folder named .xcassets and .git to embed itself in Xcode.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.006 Dynamic Linker Hijacking XCSSET adds malicious file paths to the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables to execute malicious code.1
enterprise T1105 Ingress Tool Transfer XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://” & domain & “/agent/scripts/” & moduleName & “.applescript.1
enterprise T1056 Input Capture -
enterprise T1056.002 GUI Input Capture XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.1
enterprise T1036 Masquerading XCSSET installs malicious application bundles that mimic native macOS apps, such as Safari, by using the legitimate app’s icon and customizing the Info.plist to match expected metadata.12
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.013 Encrypted/Encoded File Older XCSSET variants use xxd to encode modules. Later versions pass an xxd or base64 encoded blob through multiple decoding stages to reconstruct the module name, AppleScript, or shell command. For example, the initial network request uses three layers of hex decoding before executing a curl command in a shell.2
enterprise T1647 Plist File Modification In older versions, XCSSET uses the plutil command to modify the LSUIElement, DFBundleDisplayName, and CFBundleIdentifier keys in the /Contents/Info.plist file to change how XCSSET is visible on the system. In later versions, XCSSET leverages a third-party notarized dockutil tool to modify the .plist file responsible for presenting applications to the user in the Dock and LaunchPad to point to a malicious application.12
enterprise T1113 Screen Capture XCSSET saves a screen capture of the victim’s system with a numbered filename and .jpg extension. Screen captures are taken at specified intervals based on the system. 1
enterprise T1518 Software Discovery XCSSET uses ps aux with the grep command to enumerate common browsers and system processes potentially impacting XCSSET’s exfiltration capabilities.1
enterprise T1518.001 Security Software Discovery XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.1
enterprise T1539 Steal Web Session Cookie XCSSET uses scp to access the ~/Library/Cookies/Cookies.binarycookies file.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.001 Gatekeeper Bypass XCSSET has dropped a malicious applet into an app’s .../Contents/MacOS/ folder of a previously launched app to bypass Gatekeeper’s security checks on first launch apps (prior to macOS 13).5
enterprise T1195 Supply Chain Compromise -
enterprise T1195.001 Compromise Software Dependencies and Development Tools XCSSET adds malicious code to a host’s Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder.1
enterprise T1082 System Information Discovery XCSSET identifies the macOS version and uses ioreg to determine serial number.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery XCSSET uses AppleScript to check the host’s language and location with the command user locale of (get system info).1
enterprise T1569 System Services -
enterprise T1569.001 Launchctl XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Checks Using the machine’s local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.1

References

  1. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  2. Microsoft Threat Intelligence. (2025, March 11). New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects. Retrieved April 2, 2025. 

  3. Steven Du, Dechao Zhao, Luis Magisa, Ariel Neimond Lazaro. (2021, April 16). XCSSET Quickly Adapts to macOS 11 and M1-based Macs. Retrieved February 18, 2025. 

  4. Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021. 

  5. Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022. 

  6. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.