An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip.
Apple unveiled its M1 system-on-chip in November 2020 and the first malware created specifically for systems with the arm64 CPU architecture used by the M1 was apparently created in December. This was a variant of Pirrit, a piece of adware that has been around for several years.
A few days after the existence of this Pirrit variant came to light, managed detection and response firm Red Canary reported identifying a mysterious piece of Mac malware that had infected tens of thousands of devices around the world. This malware, named Silver Sparrow, also had a variant specifically designed for M1 systems.
Kaspersky reported on Friday that it too has spotted a piece of malware with a variant compiled for devices with M1 chips, specifically a variant of the malware known as XCSSET.
XCSSET is a mysterious piece of malware first detailed by Trend Micro and Mac security company Intego in August 2020. It does not appear to have been linked to any known threat group or activity, but a majority of infections spotted at the time were in China and India.
The malware is designed to allow its operator to launch ransomware attacks (i.e. encrypt files and display a ransom note), and steal information from infected devices, including data associated with the Evernote, Skype, Notes, QQ, WeChat, and Telegram apps.
It can also launch universal cross-site scripting (UXSS) attacks in an effort to inject arbitrary JavaScript code into the websites visited by the victim. This allows it to modify sites, including replacing cryptocurrency addresses, and phish credentials and payment card information.
XCSSET spreads through code injected into projects for Xcode, Apple’s integrated development environment. The payload is executed when the project is built.
Kaspersky has seen an XCSSET sample compiled for the arm64 architecture. This sample was uploaded to the VirusTotal malware analysis service on February 24, which has led the company’s researchers to believe that the campaign is likely still ongoing.
Kaspersky noted that in many cases Mac malware is delivered in the Mach-O format, which includes the malicious code compiled for several architectures — depending on what type of device the malware lands on, the code corresponding to that architecture is executed.
“With the new M1 chip, Apple has certainly pushed its performance and energy saving limits on Mac computers, but malware developers kept an eye on those innovations and quickly adapted their executables to Apple Silicon by porting the code to the ARM64 architecture,” Kaspersky researchers wrote in a blog post.
They added, “We have observed various attempts to port executables not just among typical adware such as Pirrit or Bnodlero samples, but also among malicious packages, such as the Silver Sparrow threat and XCSSET downloadable malicious modules. This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.”
Related: Several New Mac Malware Families Attributed to North Korean Hackers
Related: ThiefQuest Mac Malware Includes Ransomware, Data Theft Capabilities
Related: Repurposing Mac Malware Not Difficult, Researcher Shows

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
