Skip to content

Hide Navigation Hide TOC

XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f)

XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.(Citation: trendmicro xcsset xcode project 2020)(Citation: April 2021 TrendMicro XCSSET)(Citation: Microsoft March 2025 XCSSET)

Cluster A Galaxy A Cluster B Galaxy B Level
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Plist File Modification - T1647 (7d20fff9-8751-404e-badd-ccd71bda0236) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern XCSSET - S0658 (e14085cb-0e8d-4be6-92ba-e3b93ee5978f) Malware 1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 2
Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern 2