Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Guide
Tom’s Guide
Technology
Anthony Spadafora

This notorious Mac malware has resurfaced as an office productivity app — how to stay safe

MacBook Pro 16-inch 2021 sitting on a patio table

Macs are under attack from a new variant of the infamous XLoader malware which has been rewritten to run natively on the best MacBooks.

While XLoader has been around since at least 2015, it was primarily used to target Windows PCs until a macOS variant was spotted back in 2021. However, that version was distributed as a Java program which limited its ability to run on Macs since Apple hasn’t included the Java Runtime Environment on its computers for more than a decade.

Now though, a new version of XLoader, written in the C and Objective C programming languages that’s also signed with an Apple developer signature, has been spotted in the wild according to a blog post from the cybersecurity firm SentinelOne.

Hackers have also come up with a clever way to trick unsuspecting Mac users into installing this new version of XLoader. Unlike in the past when the malware was distributed as an attachment in phishing emails, it’s now masquerading as an office productivity app called "OfficeNote."

Stealing clipboard data from vulnerable Macs

This new version of XLoader is bundled inside an installation file for the fake productivity app OfficeNote and while it was signed with a developer signature back in July of this year, Apple has since revoked the signature.

Unfortunately though, as SentienOne’s tests have confirmed, Apple’s own XProtect malware scanner does not have the necessary signature to prevent this malicious app from running on your Mac.

XLoader is actually a Malware-as-a-Service offering that hackers pay its creators to use in their attacks. According to posts on dark web hacking forums, it costs $199 per month or $299 for three months to gain access to this new macOS version of XLoader, which is much more expensive than its Windows counterpart which costs $59 per month or $129 for three months.

If an unsuspecting Mac user does download and try to install the malicious OfficeNote app, they’re greeted with an error message which says that the program can’t be installed. Instead, the XLoader malware is installed on their system and it also deploys a persistence agent so that it can remain undetected on an infected Mac.

From here, XLoader attempts to steal passwords and other sensitive data from a user’s clipboard in macOS. It also targets both Google Chrome and Mozilla Firefox to steal cookies and other data stored in your browser but just like other infostealing malware on Mac, it ignores Safari.

How to stay safe from malicious Mac apps

(Image credit: Shutterstock)

In order to protect yourself from malicious apps on Mac, you want to avoid installing software for unofficial sources online. Instead, you should stick to the Mac App Store or the sites of reputable developers with a history of making secure software.

While your Mac has built-in security software like XProtect and Gatekeeper, you should also consider installing and using one of the best Mac antivirus software solutions for additional protection. Third-party Mac antivirus software is updated more frequently which can help you stay safe from viruses that XProtect or Gatekeeper may miss.

Now that there’s a brand new version of XLoader designed specifically for macOS that’s available for hackers to rent online, expect to see similar campaigns in the future targeting vulnerable Macs.

More from Tom's Guide

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.