Crypto Theft on macOS: XCSSET Malware Swaps Wallet Addresses in Real Time

A new and more dangerous variant of the XCSSET macOS malware has been uncovered by Microsoft, revealing an expanded arsenal of capabilities aimed at financial theft and deeper system compromise. Originally known for spreading through malicious Xcode projects, XCSSET has steadily evolved into one of the most persistent malware families targeting Apple’s ecosystem.The latest analysis highlights a refined four-stage infection chain that culminates in the deployment of a powerful AppleScript payload. This payload actively monitors the system clipboard for cryptocurrency wallet addresses and silently swaps them for attacker-controlled addresses—allowing hackers to hijack transactions in real time. Beyond crypto theft, the malware introduces a dedicated info-stealer module for the Firefox browser, adapted from the HackBrowserData project, which enables the theft of passwords, credit card details, browsing history, and cookies.Even more concerning are the malware’s persistence and evasion tactics. It sets up LaunchDaemons to survive reboots, disables macOS security updates—including Rapid Security Response patches—and disguises itself as a fake System Settings app to blend in with normal user activity. These techniques allow it to remain undetected while siphoning off sensitive data and financial assets.Microsoft’s discovery underscores the sophistication of XCSSET’s evolution and the need for vigilance in the macOS community. Working with Apple and GitHub, the company has helped take down repositories distributing the malware, but attacks are ongoing. This latest wave of XCSSET marks a shift toward direct financial exploitation, proving that macOS is far from immune to advanced cyber threats.#XCSSET #macOS #Malware #MicrosoftSecurity #CryptoHijacking #Firefox #Xcode #Cybersecurity #ClipboardHijacking #InfoStealer #Persistence #ThreatIntel

There are no comments yet.

Please log in to write the first comment.