Skip to content

mayank-joshi-01/XCSSET-Malware-Scripts-2025

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
AI-generated-reports
AI-generated-reports
 
 
Mach-O-binaries
Mach-O-binaries
 
 
Scripts-Working-Flow
Scripts-Working-Flow
 
 
incomplete-notes
incomplete-notes
 
 
scripts
scripts
 
 
README.md
README.md
 
 

Repository files navigation

PS: Please analyze everything responsibly. (No, I'm not paying for your incident response team if you open it on prod.)

XCSSET 2025 - Scripts & Binaries Dump

"Sometimes you chase malware.
Sometimes malware chases you.
Sometimes you just procrastinate so hard that Microsoft beats you to it."

📖 Background

In February 2025, I stumbled across some interesting evolutions in the XCSSET malware family.
Naturally, like any responsible researcher, I immediately started... thinking about writing a detailed report.

Fast-forward through a few weeks of procrastination, overthinking, and several existential crises,
and — surprise — Microsoft dropped their official blog post first.
Good job, team. (Genuinely.) Came up with this report in peer pressure.

🤖 Fun Fact

I even spent $10 on GPT trying to "speed-run" a Cyber Threat Intelligence report.
Spoiler:

  • GPT gave me a bunch of words.
  • I gave up.
  • Here we are.

🎯 What's Inside

  • Fully decoded XCSSET 2025 malicious scripts
  • Extracted binaries used for payload delivery, persistence, and obfuscation
  • Mapping notes (where applicable) to MITRE ATT&CK
  • No cheap clickbait — actual raw material for researchers and defenders

This repo is meant for:

  • Threat researchers 🕵️‍♂️
  • Blue teams hunting Mac malware 🔵
  • Students who want to see real-world malware in action 📚
  • Anyone who's sick of "we detected threat actor activity" posts with zero technical depth.

⚡ Disclaimer

  • This is for educational and defensive purposes only.
  • Treat everything here like a loaded gun.
  • Analyze in isolated labs, sandbox environments, or while wearing a tinfoil hat.
  • No, I’m not responsible if you infect your own machine because you double-clicked something you shouldn’t have.

🧠 Why Even Bother?

Because good malware analysis deserves to be open, raw, and honest
not locked behind buzzwords, NDAs, or paywalls.

If one person builds a better detection rule from this,
then that’s a win bigger than my failed $10 GPT experiment.

📂 Repo Structure

📂 scripts

Decoded malicious scripts.

📂 Mach-O-Binaries

Extracted binaries used in the above extracted scripts from C2 Server

📂 Scripts-Working-Flow

Flow Diagrams of some scripts.

📂 AI-generated-reports

Detailed scripts explaination using Openai (GPT 4.1) API

🎤 Final Words

Learn something.
Break something (in a lab, please).
Get better.

And hey — if you want to ask me anything about this or actually build something cool off this,
drop me a message, here is my LinkedIN.
I'm always down to hear about wins (or fails — we learn from both).

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages