Home / Industry

XCSSET Shows How Threat Actors Cope with OS Changes, Does Away with Python Like macOS

Just as software and hardware vendors push upgrades and updates for their products and services to stay secure against the latest threats, so do threat actors work as fast as possible to stay abreast of OS and version modifications. That’s exactly what the XCSSET malware operators have done for their campaigns targeting macOS users to continue working.

When macOS Monterey removed support for Python, so did XCSSET, which relied heavily on the language in the past. Otherwise, related campaigns won’t work against the users of the latest macOS.

Using the eight domains and one IP address identified by SentinelOne as indicators of compromise (IoCs) as a jump-off point, we discovered:

  • Additional domains hosted on the same IP address
  • More than 100 additional domains that contained the same strings as the IoCs
  • Unredacted email addresses used to register the additional domains
  • Nearly 1,000 additional domains that shared the unredacted email addresses
  • More than 20 of the total number of additional domains dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Threat Analysis and Findings

We began our in-depth look at XCSSET by subjecting the eight domains identified as IoCs to Connected Domains API lookups and found that seven of them resolved to 45[.]82[.]153[.]92—also named an IoC. Only cosmodron[.]com didn’t resolve to the IP said address at any point in time.

Using 45[.]82[.]153[.]92 as a reverse IP lookup search string, meanwhile, allowed us to uncover an additional nine domains that haven’t been mentioned in XCSSET-related reports. These are:

  • admobs[.]ru
  • cosmodron[.]com
  • linebrand[.]xyz
  • melodyapps[.]ru
  • monotel[.]xyz
  • nodeline[.]xyz
  • sidelink[.]xyz
  • statsmag[.]ru
  • yahooads[.]ru

We didn’t stop there, though, since we want to identify as many artifacts as possible to help users better protect against ongoing malicious campaigns.

We then sought to find domains that used the same strings as the IoCs and additional artifacts albeit different top-level domain (TLD) extensions. Using the strings “superdocs,” “melindas,” “kinksdoc,” “gurumades,” “gismolow,” “appledocs,” “adobefile,” “cosmodron,” “admobs,” “linebrand,” “melodyapps,” “monotel,” “nodeline,” “sidelink,” “statsmag,” and “yahooads”

as Domains & Subdomains Discovery search strings. That led to the discovery of 126 more artifacts.

Performing a bulk WHOIS lookup for all the domains found so far then uncovered six unredacted personal email addresses used to register the properties. These are:

  • linxxxxx@gmail[.]com
  • xxxxx@monotel[.]com[.]tr
  • engineexxxxx@hotmail[.]com
  • xxxxx@monotel[.]com
  • suxxxxx@superior-docs[.]com
  • domain-xxxxx@oath[.]com

Using these email addresses as reverse WHOIS search strings allowed us to uncover 900 additional domains.

After collating a total of 1,035 artifacts that haven’t been publicized in XCSSET-related reports, we ran them through a bulk malware check on Threat Intelligence Platform (TIP). We found that 23 of them hosted malware.

Concluding Thoughts

While the removal of support for Python on macOS Monterey may have stopped old XCSSET versions from affecting users, the malicious operators’ fast adaptation ensures the latest iteration of their malware will.

Security teams who wish to protect networked-connected Macs from XCSSET may be interested in monitoring access to and from the 1,000+ domains we identified as artifacts and block access to the 23 malicious domains.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byVerisign