Emerging Threats

macOS malware XLoader returns disguised as a productivity app

Ray Fernandez

Sep 1, 20232 min read

macOS malware XLoader returns disguised as a productivity app: Header image

XLoader, a popular information stealer that has been around since 2015 and mostly targets Windows computers, is back. And now, it can breach your Mac. In fact, SentinelOne has reported that the new XLoader malware comes with new tricks. This trojan mimics a legitimate app to infiltrate devices, passing itself off as a Microsoft Office productivity app called OfficeNote.

How XLoader is distributed and how it breaches your Mac

The new XLoader malware presents itself as an official Microsoft productivity app named OfficeNote.app. While it is not being distributed through the Apple App Store, SentinelOne assures that the Mac version of the malware is being sold on cybercriminal underground forums for $199 per month or $299 per quarter.

Attackers buying this malware distribute it via spam email campaigns, phishing campaigns that target large or small groups of users, and posts on fake websites or links from fake banner ads.

At the time of this writing, this trojan cannot be detected by Apple’s malware-blocking tool XProtect. If a user downloads and runs this app, the malware will install immediately without any alert on their computer.

Users who do download the app will get an error message saying that the application cannot be opened, but in reality, XLoader is already in their system.

Screenshot of VIrusTotal showing distribution of the XLoader malware.
Detections listed by VirusTotal reveal that the new XLoader is very much out in the wild.

Here’s how dangerous the XLoader malware is

This new malware should not be underestimated. As a trojan, it not only enters systems undetected but is capable of installing other pieces of malware, stealing information, and opening doorways for attackers into victims’ devices.

XLoader can:

  • Steal passwords and sensitive data
  • Steal cookies and data from browsers, including Chrome and Firefox (not Safari)
  • Abuse stolen accounts, emails, social networks, social media, messengers, and other communication apps
  • Be used to launch phishing campaigns against users’ contacts
  • Breach finance-related accounts, including online banking, digital wallets, e-commerce, and more
  • Be used to launch additional malware, including ransomware, crypto-jacking, and more
  • Record screens, keystrokes, and audio and video using the infected computer’s camera and microphone

How to get rid of XLoader

SentinelOne warns that this trojan is coded to avoid manual detection. In other words, even those who have the technical knowledge and know where to look for this malware may not find it.

The best tool against XLoader is awareness and not downloading it in the first place. Additionally, a trusted, professional, and advanced anti-malware solution running in the background is your best defense when it comes to detecting trojans like XLoader. Finally, you should never download apps that are not available through the Apple App Store, aren’t well known, or look suspicious. 

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.