We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:MacOS/HackBrowserData.A
Aliases: No associated aliases
Summary
Trojan:MacOS/HackBrowserData.A is a sophisticated malware campaign targeting macOS developers; its malicious component is a customized version of an open-source information-stealing tool, integrated into the broader XCSSET malware family. It primarily infiltrates Macs through compromised Xcode projects, running its payload during the build process to steal sensitive data from the Firefox browser, including saved passwords, credit card details, and browsing history. The operation is characterized by a targeted approach, focusing on software developers who share project files.
The threat employs a modular architecture designed for stealth and persistence. After initial launch, it communicates with remote command and control servers to download additional encrypted modules. These modules expand its functionality to include activities like real-time clipboard monitoring for cryptocurrency theft and deep system integration. This evolution from earlier, broader XCSSET attacks shows a shift toward more refined mechanisms for maintaining long-term access and exfiltrating specific types of valuable developer data.
- Immediately disconnect the infected macos device from all networks, including wired, Wi-Fi, and Bluetooth, to halt data theft.
- Locate and delete all identified malicious files, paying close attention to the /tmp/ directory and any hidden folders like ~/.root.
- Remove any fraudulent LaunchDaemon or LaunchAgent property lists from both ~/Library/LaunchDaemons/ and /Library/LaunchDaemons/.
- Inspect and clean shell initialization files (.zshrc, .bash_profile) by removing any unknown appended lines.
- Completely reset your Firefox browser to its default state to purge stolen session data and consider reinstalling it.
- Review and rebuild any local Xcode projects from a known clean source, as original project files may remain infected.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
