S0658: XCSSET
XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]
Analyst context for executives and security teams
XCSSET matters because it turns macOS developer workflows into a potential entry point: MITRE describes it as malware delivered through infected Xcode projects and executed when the project is compiled. For leaders, the business issue is not only “Mac malware,” but whether developer endpoints, source-code handling, browser sessions, and macOS privacy controls are monitored and recoverable enough to prevent a compromised build environment from becoming an identity, data theft, or availability incident.
Executive priority
Prioritize XCSSET as a macOS developer and supply-chain readiness scenario. The ATT&CK relationships connect it to compromised development tools, local data collection, web session cookie theft, persistence, privilege escalation, exfiltration over C2, and file encryption impact. Executives should ask whether macOS developer fleets have the same endpoint visibility, backup discipline, privileged-access controls, and incident response playbooks as Windows and server environments, and whether audit evidence can show control coverage for developer workstations and Xcode project intake.
Technical view
SOC and IR teams should validate macOS coverage around infected or suspicious Xcode projects, shell and AppleScript execution, masqueraded applications imitating system tools, Launch Daemon and shell configuration persistence, SSH authorized_keys modification, TCC manipulation, discovery commands, file permission changes, browser/session data access, screen capture activity, inbound tool transfer, outbound C2-like traffic, and unusual file encryption behavior. MITRE provides no official detection text for this object, so detection engineering should be relationship-driven and tested against local macOS logging, EDR, and network telemetry rather than assuming ATT&CK supplies a ready analytic.
Likely telemetry
- macOS endpoint process execution for shell scripts, AppleScript, Xcode-related build activity, and child processes
- File creation and modification events for Xcode projects, masqueraded apps, Launch Daemon plist files, shell configuration files, SSH authorized_keys, browser data stores, and user files
- macOS security/privacy-related evidence relevant to TCC-protected resources such as screen capture or Full Disk Access changes
- Network telemetry for external file transfer and command-and-control-style outbound communications
- Authentication and account evidence related to local account discovery and SSH key persistence
Detection direction
- Build detections around behavior chains, not just names: Xcode project interaction followed by shell/AppleScript execution, persistence changes, discovery, data access, and outbound transfer is more meaningful than any single event.
- Tune for masquerading on macOS, including applications or icons that mimic Xcode, Mail, Notes, Launchpad, or other familiar system tools, while accounting for legitimate developer utilities that may create noise.
- Validate monitoring of macOS persistence locations, especially Launch Daemons, Unix shell configuration files, and SSH authorized_keys, because these relationships indicate persistence and privilege-escalation relevance.
- Review visibility into browser/session artifacts and GUI prompts because the relationships include web session cookie theft and GUI input capture; these may be missed if endpoint telemetry excludes user privacy-protected paths.
- Account for evasion and analysis friction: encoded or encrypted files, time-based checks, and security software discovery can reduce confidence in simple static or sandbox-only detection.
Mitigation priorities
- Treat macOS developer endpoints as high-value assets: enforce managed endpoint security, patching, least privilege, and recovery standards comparable to other privileged engineering systems.
- Strengthen software supply-chain hygiene for Xcode projects, including trusted source practices, review of imported projects, and controls around shared development artifacts.
- Harden macOS persistence and privilege paths by monitoring and controlling Launch Daemon creation, shell startup file changes, SSH key modifications, file permission changes, and TCC permission abuse.
- Protect identity and session material by reducing unnecessary browser/session persistence on developer systems and ensuring incident response procedures include session invalidation when cookie theft is suspected.
- Ensure resilient backups and restore testing for macOS user data because the relationships include data encryption for impact.
Analyst notes and limits
This take is based on MITRE ATT&CK S0658 and its supplied relationships. The most important defender value is mapping XCSSET to macOS developer workflow risk: initial access through compromised development tools, execution through Unix shell behavior, stealth through masquerading and encoded files, persistence through macOS mechanisms, credential/session risk, collection, exfiltration, and possible availability impact.
The ATT&CK object lists macOS as the platform and provides no official detection section or object-level tactics. Specific indicators, infrastructure, prevalence, affected organizations, and guaranteed detection methods are not supplied here. Local validation is required to determine whether Xcode projects, developer endpoints, macOS privacy controls, browser artifacts, and persistence paths are actually monitored in the environment.
XCSSET
XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | XCSSET uses a hidden folder named |
| Enterprise | T1518 | Software Discovery | |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | XCSSET uses AppleScript to check the host's language and location with the command |
| Enterprise | T1105 | Ingress Tool Transfer | XCSSET downloads browser specific AppleScript modules using a constructed URL with the |
| Enterprise | T1041 | Exfiltration Over C2 Channel | XCSSET retrieves files that match the pattern defined in the INAME_QUERY variable within the user's home directory, such as `*test.txt`, and are below a specific size limit. It then archives the files and exfiltrates the data over its C2 channel.Citationtrendmicro xcsset xcode project 2020CitationMicrosoft March 2025 XCSSET |
| Enterprise | T1553.001 | Gatekeeper Bypass Sub-technique | XCSSET has dropped a malicious applet into an app's `.../Contents/MacOS/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13).CitationApplication Bundle Manipulation Brandon Dalton |
| Enterprise | T1036 | Masquerading | XCSSET installs malicious application bundles that mimic native macOS apps, such as Safari, by using the legitimate app’s icon and customizing the `Info.plist` to match expected metadata.Citationtrendmicro xcsset xcode project 2020CitationMicrosoft March 2025 XCSSET |
| Enterprise | T1195.001 | Compromise Software Dependencies and Development Tools Sub-technique | XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods |
| Enterprise | T1098.004 | SSH Authorized Keys Sub-technique | |
| Enterprise | T1005 | Data from Local System | XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.Citationtrendmicro xcsset xcode project 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | XCSSET uses RC4 encryption over TCP to communicate with its C2 server.Citationtrendmicro xcsset xcode project 2020 |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | XCSSET adds malicious file paths to the |
| Enterprise | T1560 | Archive Collected Data | XCSSET will compress entire |
| Enterprise | T1548.006 | TCC Manipulation Sub-technique | For several modules, XCSSET attempts to access or list the contents of user folders such as Desktop, Downloads, and Documents. If the folder does not exist or access is denied, it enters a loop where it resets the TCC database and retries access.CitationMicrosoft March 2025 XCSSET |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | XCSSET uses the |
| Enterprise | T1539 | Steal Web Session Cookie | XCSSET uses |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process |
| Enterprise | T1068 | Exploitation for Privilege Escalation | XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.Citationtrendmicro xcsset xcode project 2020 |
| Enterprise | T1569.001 | Launchctl Sub-technique | XCSSET loads a system level launchdaemon using the |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | XCSSET searches firewall configuration files located in |
| Enterprise | T1486 | Data Encrypted for Impact | XCSSET performs AES-CBC encryption on files under |
| Enterprise | T1082 | System Information Discovery | XCSSET identifies the macOS version and uses |
| Enterprise | T1543.004 | Launch Daemon Sub-technique | XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.Citationtrendmicro xcsset xcode project 2020 |
| Enterprise | T1647 | Plist File Modification | In older versions, XCSSET uses the |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Older XCSSET variants use `xxd` to encode modules. Later versions pass an `xxd` or `base64` encoded blob through multiple decoding stages to reconstruct the module name, AppleScript, or shell command. For example, the initial network request uses three layers of hex decoding before executing a curl command in a shell.CitationMicrosoft March 2025 XCSSET |
| Enterprise | T1083 | File and Directory Discovery | XCSSET has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions and leverages a module to run the command `ls -la ~/Desktop`.CitationApplication Bundle Manipulation Brandon DaltonCitationMicrosoft March 2025 XCSSET |
| Enterprise | T1059.004 | Unix Shell Sub-technique | XCSSET uses a shell script to execute Mach-o files and |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | |
| Enterprise | T1554 | Compromise Host Software Binary | XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.Citationtrendmicro xcsset xcode project 2020 |
| Enterprise | T1087 | Account Discovery | XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.Citationtrendmicro xcsset xcode project 2020 |
| Enterprise | T1546 | Event Triggered Execution | XCSSET's `dfhsebxzod` module searches for `.xcodeproj` directories within the user’s home folder and subdirectories. For each match, it locates the corresponding `project.pbxproj` file and embeds an encoded payload into a build rule, target configuration, or project setting. The payload is later executed during the build process.CitationMicrosoft March 2025 XCSSETCitationApril 2021 TrendMicro XCSSET |
| Enterprise | T1113 | Screen Capture | XCSSET saves a screen capture of the victim's system with a numbered filename and |
| Enterprise | T1546.004 | Unix Shell Configuration Modification Sub-technique | Using AppleScript, XCSSET adds it's executable to the user's `~/.zshrc_aliases` file (`"echo " & payload & " > ~/zshrc_aliases"`), it then adds a line to the .zshrc file to source the `.zshrc_aliases` file (`[ -f $HOME/.zshrc_aliases ] && . $HOME/.zshrc_aliases`). Each time the user starts a new `zsh` terminal session, the `.zshrc` file executes the `.zshrc_aliases` file.CitationMicrosoft March 2025 XCSSET |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | a2854be8c3f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
trendmicro xcsset xcode project 2020
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
Open source URL -
[2]
April 2021 TrendMicro XCSSET
Steven Du, Dechao Zhao, Luis Magisa, Ariel Neimond Lazaro. (2021, April 16). XCSSET Quickly Adapts to macOS 11 and M1-based Macs. Retrieved February 18, 2025.
Open source URL -
[3]
Microsoft March 2025 XCSSET
Microsoft Threat Intelligence. (2025, March 11). New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects. Retrieved April 2, 2025.
Open source URL -
[4]
OSX.DubRobber
(Citation: malwarebyteslabs xcsset dubrobber)
-
[5]
XCSSET
(Citation: trendmicro xcsset xcode project 2020)
-
[6]
malwarebyteslabs xcsset dubrobber
Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021.
Open source URL -
[7]
mitre-attack S0658Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.