top of page

New XLoader macOS Malware Variant Disguised as Productivity App 'OfficeNote'

This latest iteration of the XLoader malware for Apple macOS conceals its destructive functionality by pretending to be an office productivity programme called "OfficeNote."

According to SentinelOne's Dinesh Devadoss and Phil Stokes, "the new version of XLoader is bundled inside a standard Apple disc image with the name OfficeNote.dmg," as they explained in an analysis published on Monday. It has been digitally signed by the application's developer, MAIT JAKHU (54YDV8NU9C).

As a data stealer and keylogger distributed via the malware-as-a-service (MaaS) architecture, XLoader, which was originally discovered in 2020, is widely regarded as Formbook's successor. In July of 2021, a macOS-compatible version of the malware appeared; it was originally released as a Java programme, but then morphed into a.JAR file and spread through that method.

The security firm warned at the time that "such files require the Java Runtime Environment," and so the malicious.jar file would not operate on a macOS install out of the box because Apple discontinued providing JRE with Macs over a decade ago.

To work around this restriction, the most recent version of XLoader uses C and Objective C, and the disc image file is signed on July 17, 2023. The signature was later withdrawn by Apple.

SentinelOne claimed that over the month of July 2023, it saw numerous submissions of the artefact on VirusTotal, indicating a large campaign.

According to the study's authors, "advertising on crimeware forums offer the Mac version for rental at $199/month or $299/3 months." "Interestingly, this is more expensive than the $59/month and $129/3-month plans for Windows versions of XLoader."

After being run, OfficeNote claims it "can't be opened because the original item can't be found," but really installs a Launch Agent in the background to maintain state.


XLoader is built to steal information from the clipboard and the folders of popular web browsers like Chrome and Firefox. However, Safari is not a target.

The virus is set up to execute sleep commands to prolong its operation and prevent raising any red flags, in addition to the other measures it takes to avoid investigation by both humans and automated solutions.

"XLoader continues to present a threat to macOS users and businesses," the researchers wrote.

Users in an office setting are the clear targets of this current version, which disguises itself as an office productivity programme. The software tries to take information from the victim's browser and clipboard that could be used or sold by the hackers to compromise other computers.

6 views0 comments


bottom of page