article featured image


The XCSSET malware is a strain of macOS malware that has been used to access and illegally procure user login information from multiple apps. The malware was dubbed XCSSET and it looks like is evolving, as it has been targeting macOS developers for more than a year by infecting local Xcode projects.

XCSSET Malware Goes After Sensitive Information

The XCSSET malware steals files with sensitive information from specific apps only to send them afterwards to a remote command and control C2 server from the infected macOS machines.

The Telegram instant messaging software was one of the targeted apps by the XCSSET malware. In this situation the malware works by creating the archive “telegram.applescript” for the “keepcoder.Telegram” folder under the Group Containers directory; that is how it allows the hackers to log into the messaging app as the legitimate owner of the account.

The researchers at Trend Micro explained that when copying the stolen folder on another machine that has Telegram installed the attackers are able to gain access to the victim’s account.

XCSSET malware is able to steal sensitive data in this manner as normal users can access the Application sandbox directory with read and write permissions.

Not all executable files are sandboxed on macOS, which means a simple script can steal all the data stored in the sandbox directory.


The method used to steal the passwords saved in Google Chrome was also analyzed by the researchers, and they discovered that a technique that requires user interaction is being used.

It looks like the threat actor needs to get the Safe Storage Key, which is stored in the user’s keychain as “Chrome Safe Storage”, but they can use a fake dialog to trick the user into giving administrator privileges to all of the attacker’s operations necessary to get the Safe Storage Key that can decrypt passwords stored in Chrome.

All the data is sent to the attacker’s command and control server, once decrypted.

This is not the only script contained in the XCSSET malware for stealing sensitive data, as scripts for other apps like Contacts, Evernote, Notes, Opera, Skype, WeChat were also discovered.

According to the researchers at Trend Micro, the latest version of XCSSET they analyzed has an updated list of C2 servers and a new “canary” module for cross-site scripting (XSS) injections in the experimental Chrome Canary web browser.

It’s important to note that XCSSET malware is targeting the latest macOS version (currently Big Sur) and has been seen in the past leveraging a zero-day vulnerability in order to evade protections for full disk access and avoid explicit content from the user.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.