Hackers use ‘sophisticated’ macOS malware to steal cryptocurrency, Microsoft says

Avatar

Researchers have discovered a new variant of malware targeting macOS systems to steal cryptocurrency and data without being detected.

In a report released on Monday, threat intelligence specialists at Microsoft said that they have discovered the new XCSSET strain in limited attacks. XCSSET, first spotted in the wild in August 2020, spreads by infecting Xcode projects, which developers use to create apps for Apple devices.

The variant uncovered by Microsoft is updated with new features designed to evade detection, persist within the victim’s network and spread through new techniques. Similar to the older version, the new malware targets digital wallets, collects data from the Notes app, and exfiltrates system information and files.

“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware typically spreads through infected projects,” Microsoft said. “They should also only install apps from trusted sources, such as a software platform’s official app store.”

Several other researchers have posted reports recently about malware variants used for cryptocurrency and data theft.

In a campaign discovered earlier in December, hackers targeted the cryptocurrency and fintech sectors with a new stealer malware, which researchers named Zhong Stealer. The attackers exploited customer service platforms like Zendesk, posing as customers to trick unsuspecting support agents into downloading the malware. According to researchers, Zhong Stealer exfiltrates stolen data, including credentials and browser extension data, and sends it to servers in Hong Kong.

Slovenia’s computer emergency response team also discovered two malware samples — BeaverTail and InvisibleFerret — that steal data from companies and individuals involved in Web3 technology, such as smart contracts, cryptocurrencies, and blockchain technology.

Researchers haven’t attributed this campaign to a specific threat actor, but previous security experts have linked similar attacks to those carried out by state-sponsored hackers from North Korea.

CybercrimeNews BriefsMalwareNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Ecuador’s legislature says hackers attempted to access confidential information

Next Post

Sanctioned entities fueled $16 billion in cryptocurrency activity last year, report says

Related Posts

Crypto Developers Targeted by Python Malware Disguised as Coding Challenges

The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment. The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces, which is also known as Jade Sleet, PUKCHONG,
Avatar
Read More

SysAid Patches 4 Critical Flaws Enabling Pre-Auth RCE in On-Premise Version

Cybersecurity researchers have disclosed multiple security flaw in the on-premise version of SysAid IT support software that could be exploited to achieve pre-authenticated remote code execution with elevated privileges. The vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, have all been described as XML External Entity (XXE) injections, which occur when an attacker is
Avatar
Read More

Deploying AI Agents? Learn to Secure Them Before Hackers Strike Your Business

AI agents are changing the way businesses work. They can answer questions, automate tasks, and create better user experiences. But with this power comes new risks — like data leaks, identity theft, and malicious misuse. If your company is exploring or already using AI agents, you need to ask: Are they secure? AI agents work with sensitive data and make real-time decisions. If they’re not
Avatar
Read More