New XCSSET macOS Malware Variant Silently Hijacks Cryptocurrency Transactions

A newly discovered variant of the sophisticated XCSSET malware is targeting macOS users by monitoring the system clipboard to intercept and hijack cryptocurrency transactions, according to a detailed analysis published by Microsoft on September 25, 2025. The finding represents a significant escalation in threats facing crypto holders who use macOS devices, as the malware specifically scans for wallet addresses and replaces them with attacker-controlled alternatives before the victim even notices.

The Exploit Mechanics

XCSSET has been active in the wild for over five years, originally spreading through malicious Xcode projects that abuse Apple’s integrated development environment. This latest iteration introduces a refined four-stage infection chain that begins when a developer clones a compromised repository. Once executed, the malware deploys a boot function that now includes additional checks for the Firefox browser and a modified check for the Telegram messaging application, expanding its surveillance footprint considerably.

At the fourth stage of the chain, the malware fetches a run-only compiled AppleScript from its command-and-control server. This script defines functions related to data validation, encryption, decryption, and obtaining additional payload instructions. Critically, the script also contains functions associated with clipboard monitoring, allowing the malware to identify cryptocurrency addresses copied by the user and replace them with addresses from a curated list of attacker-controlled wallets. With Bitcoin trading near $109,700 and Ethereum above $4,035, even a single successful redirection could result in substantial financial loss.

Affected Systems

The new variant adds a dedicated info-stealer module targeting the Firefox browser. Built using a modified version of the open-source HackBrowserData project, this module extracts browser history, cookies, stored passwords, and credit card information from unsuspecting victims. The combination of clipboard hijacking and credential harvesting creates a dual-threat scenario where attackers can both redirect active transactions and access stored financial data.

Beyond browser targeting, the malware establishes persistence through a LaunchDaemon mechanism, creating a hidden payload file in the user’s home directory. It also modifies system configurations to disable macOS security configuration updates and Apple’s Rapid Security Response mechanism, effectively blinding the operating system to the intrusion. In a particularly deceptive touch, XCSSET creates a fake System Settings application that launches alongside the legitimate one, presenting users with a convincing facade while malicious operations proceed in the background.

The Mitigation Strategy

Microsoft has reported its findings directly to Apple and coordinated with GitHub to remove the malicious repositories distributing the malware. However, the attack surface extends beyond what platform operators can address alone. Users and organizations dealing in cryptocurrency transactions must adopt proactive defense measures that account for this specific threat profile.

Security researchers recommend verifying Xcode project sources before cloning, monitoring LaunchDaemon directories for unexpected entries, and using dedicated hardware wallets for large cryptocurrency transactions rather than relying on clipboard-based address copying. The use of address verification features built into modern wallet applications can also help detect when a pasted address does not match the intended recipient.

Lessons Learned

The XCSSET evolution demonstrates that macOS is no longer a secondary target for cryptocurrency-focused malware. The five-year development arc of this threat shows sustained investment by attackers in refining their tools for Apple’s ecosystem. The addition of clipboard monitoring specifically for cryptocurrency addresses signals that attackers are adapting to the growing mainstream adoption of digital assets, where a single transaction can involve tens of thousands of dollars.

The malware’s ability to disable macOS security updates is particularly concerning because it creates a persistent blind spot that can mask further malicious activity. Organizations should consider implementing endpoint detection and response solutions that can identify unauthorized changes to system security configurations.

User Action Required

macOS users who handle cryptocurrency transactions should take immediate steps to protect themselves. First, verify the source of all Xcode projects and development dependencies before installation. Second, enable additional verification when sending cryptocurrency by manually checking the first and last characters of wallet addresses rather than relying solely on clipboard paste. Third, keep macOS security updates enabled and consider using security tools that can detect unauthorized LaunchDaemon modifications. Finally, for transactions involving significant amounts, hardware wallets remain the most reliable defense against clipboard-based interception attacks. As the cryptocurrency market continues to mature with Bitcoin firmly above $109,000, the incentive for attackers to develop sophisticated targeting tools will only increase.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding threat mitigation.