Newer, Better XLoader Signals a Dangerous Shift in macOS Malware

Malware aimed at macOS is no longer just a knockoff of a Windows bug, as a new infostealer proliferating on Mac laptops demonstrates.

Editors note: This article was updated on Aug. 23, 2023, with a statement from Apple.
A new Mac-oriented variant of the XLoader infostealer spread widely in the wild last month, signaling a shift in hackers ability to effectively target macOS environments.
From mid- to late July, the file OfficeNote.dmg was uploaded to VirusTotal nine times, from countries as far and wide as the US, India, Spain, Singapore, and the Philippines. The innocuously named disk image file was actually an updated version of the XLoader infostealer, specially designed to steal credentials from Mac users.
Hackers increasingly have been
converting Windows malware for use in macOS environments
as of late, but the newest XLoader is far more than just a janky derivative.
In the past, says Phil Stokes, a threat researcher at SentinelOne, it was very common to see cross-platform malware that was a port from a Windows malware, but it was not very effective. The developers didnt really know how to develop for Mac, right? Well, I think that time is behind us now.
The first XLoader built for Mac environments
was discovered two years ago, almost to the day. It was a Java program, which proved to be its Achilles heel. The Java Runtime Environment hasnt been a default element of macOS since Snow Leopard, meaning that XLoader could only work on hosts that had downloaded Java for some reason or another.
The new XLoader has no such flaw — its written natively in C and Objective C. Its packaged in an application file with the legitimate-sounding name Office Note, the macOS Microsoft Word logo, and an Apple developer signature. Apple has since revoked the signature, but it wont make much difference, Stokes says.
All it means is that the developers will have to pivot to another signature. Developers signatures are bought and sold on the Dark Net, or theyre fakes. They can even ad hoc sign, which means it doesnt actually have a developer signature, but it will still get past Apples gatekeeper detection.
In a statement to provided to Dark Reading after this posting, Apple said that Gatekeeper actually requires more than a developer signature. It also must be notarized by Apple, a company spokesperson said, pointing to
this statement on Gatekeepers support page
:
Gatekeeper verifies that the software is from an identified developer, is notarized by Apple to be free of known malicious content, and hasnt been altered.
SentinelOnes Stokes explains that when the file is executed, it will present the user with an error message, while simultaneously installing its payload and a persistence mechanism in the background of the machine.
Once installed, XLoader will attempt to steal credentials saved in Firefox and Chrome, as well as the users clipboard.
Notably, at the time of SentinelOnes publication, Apples anti-malware tool XProtect did not have a signature for detecting and blocking OfficeNote.dmg.
Because MacBooks historically have been marketed to individuals rather than industry or big business, theyve tended to be of less interest to cybercriminals. Five years ago, there were not very many people who had Macs in the enterprise. Now developers love them, the C-suite loves them, and so theyre great targets. And threat actors will follow wherever the trend is.
Threat actors
began experimenting with Mac malware
by unevenly rejiggering existing Windows malware. At best, they would write new malware in languages friendly to both operating systems, like Golang or Rust. Theyre such easy languages for people to learn, and such powerful languages. Its now much easier to write very good software for different platforms that is going to work out of the box, Stokes says.
Now, he adds, entire cybercrime teams are dedicated to Mac development. The results are bearing fruit in the form of this new XLoader, but also programs like
Atomic Stealer
,
MacStealer
, and
PureLand
.
But to Stokes, it isnt merely that good malware now exists for MacBooks.
The problem is that Apple has this kind of attitude to malware, where they take it seriously, but they want it all to be invisible to the user, he explains. The companys dogmatic commitment to a seamless, low-effort user experience, which got them so far with consumers in the past, may not be whats called for in the world of enterprise security.
If youve got a Windows machine, youve got a big Microsoft Defender settings page you can go and play with, and run your own scans, he explains. Apples approach is: Were going to take care of this silently in the background. And that, for enterprises or businesses of any level, is no good. You cannot have infections going on in the background without your security team knowing about it.
Time will tell how Apples approach to security will stand up to scrutiny. For now, organizations running macOS will need to layer extra security on top of what theyve got by default.
The key, Stokes says, is businesses should have some other kind of detection, other than just relying on Apple. Just go and make sure youve got something thats giving you that extra visibility and protection.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Newer, Better XLoader Signals a Dangerous Shift in macOS Malware