Skip to content


XCSSET is a macOS modular backdoor that targets Xcode application developers. XCSSET was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.1

Item Value
ID S0658
Associated Names OSX.DubRobber
Version 1.2
Created 05 October 2021
Last Modified 18 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
OSX.DubRobber 2

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.1
enterprise T1098 Account Manipulation -
enterprise T1098.004 SSH Authorized Keys XCSSET will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. XCSSET will upload a private key file to the server to remotely access the host without a password.1
enterprise T1560 Archive Collected Data XCSSET will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell XCSSET uses a shell script to execute Mach-o files and osacompile commands such as, osacompile -x -o main.applescript.1
enterprise T1554 Compromise Client Software Binary XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.004 Launch Daemon XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.1
enterprise T1486 Data Encrypted for Impact XCSSET performs AES-CBC encryption on files under ~/Documents, ~/Downloads, and
~/Desktop with a fixed key and renames files to give them a .enc extension. Only files with sizes
less than 500MB are encrypted.1
enterprise T1005 Data from Local System XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography XCSSET uses RC4 encryption over TCP to communicate with its C2 server.1
enterprise T1041 Exfiltration Over C2 Channel XCSSET exfiltrates data stolen from a system over its C2 channel.1
enterprise T1068 Exploitation for Privilege Escalation XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.1
enterprise T1083 File and Directory Discovery XCSSET has used mdfind to enumerate a list of apps known to grant screen sharing permissions.3
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification XCSSET uses the chmod +x command to grant executable permissions to the malicious file.4
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories XCSSET uses a hidden folder named .xcassets and .git to embed itself in Xcode.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.006 Dynamic Linker Hijacking XCSSET adds malicious file paths to the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables to execute malicious code.1
enterprise T1105 Ingress Tool Transfer XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://” & domain & “/agent/scripts/” & moduleName & “.applescript.1
enterprise T1056 Input Capture -
enterprise T1056.002 GUI Input Capture XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/
enterprise T1036 Masquerading XCSSET builds a malicious application bundle to resemble Safari through using the Safari icon and Info.plist. 1
enterprise T1647 Plist File Modification XCSSET uses the plutil command to modify the LSUIElement, DFBundleDisplayName, and CFBundleIdentifier keys in the /Contents/Info.plist file to change how XCSSET is visible on the system.1
enterprise T1113 Screen Capture XCSSET saves a screen capture of the victim’s system with a numbered filename and .jpg extension. Screen captures are taken at specified intervals based on the system. 1
enterprise T1518 Software Discovery XCSSET uses ps aux with the grep command to enumerate common browsers and system processes potentially impacting XCSSET‘s exfiltration capabilities.1
enterprise T1518.001 Security Software Discovery XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.1
enterprise T1539 Steal Web Session Cookie XCSSET uses scp to access the ~/Library/Cookies/Cookies.binarycookies file.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.001 Gatekeeper Bypass XCSSET has dropped a malicious applet into an app’s .../Contents/MacOS/ folder of a previously launched app to bypass Gatekeeper’s security checks on first launch apps (prior to macOS 13).3
enterprise T1195 Supply Chain Compromise -
enterprise T1195.001 Compromise Software Dependencies and Development Tools XCSSET adds malicious code to a host’s Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder.1
enterprise T1082 System Information Discovery XCSSET identifies the macOS version and uses ioreg to determine serial number.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery XCSSET uses AppleScript to check the host’s language and location with the command user locale of (get system info).1
enterprise T1569 System Services -
enterprise T1569.001 Launchctl XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Using the machine’s local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.1