Sophisticated 'Xagent' Malware for Stealing Passwords and iPhone Backups Now Targets Mac Users - MacRumors
Skip to Content

Sophisticated 'Xagent' Malware for Stealing Passwords and iPhone Backups Now Targets Mac Users

by

A new version of Xagent, malware reportedly created by Russian hacking group APT28, has been discovered, and this version targets Mac users.

As outlined in a blog post by antivirus company Bitdefender (via Ars Technica), Xagent has previously been used to infiltrate Windows, iOS, Android, and Linux devices, but now Macs are vulnerable to attack as well. This is the first version of Xagent that's believed to be able to infiltrate Macs.

macbook pros 2015
The Mac version of Xagent is described as a backdoor that can be customized to do things like log passwords, detect system configurations, execute files, take screenshots of the display, and access iOS backups stored on the Mac.

The sample we are discussing today has been linked to the Mac OSX version of Xagent component from Sofacy/APT28/Sednit APT. This modular backdoor with advanced cyber-espionage capabilities is most likely planted on the system via the Komplex downloader.

Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers.

After the communication has been established, the payload starts the modules. Our preliminary analysis shows most of the C&C URLs impersonate Apple domains.

APT28 is the cyberespionage group that has been accused of hacking into the U.S. Democratic National Committee last year and interfering with the 2016 presidential election.

Bitdefender isn't entirely sure how the Mac version of Xagent is being distributed to users, but it could be spread via a macOS malware downloader called Komplex, which exploits a vulnerability in the virus-like MacKeeper software. Research on the malware is ongoing.

Mac users concerned about Xagent should avoid downloading anything that doesn't come from the Mac App Store or a well-known developer.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Top Rated Comments

B
bluespark
121 months ago
A malware discussion is political? Everyone should be able to comment on this.
Score: 19 Votes (Like | Disagree)
M
manu chao
121 months ago
Maybe it is time that MacKeeper is classified as malware by anti-malware applications ...
Score: 12 Votes (Like | Disagree)
John.B Avatar
John.B
121 months ago
Mac users concerned about Xagent should avoid downloading anything that doesn't come from the Mac App Store or a well-known developer.
The attack vector is based on a vulnerability in Mackeeper.

Keep that off your Mac and you'll be fine.
Score: 5 Votes (Like | Disagree)
keysofanxiety Avatar
keysofanxiety
121 months ago
Maybe it is time that MacKeeper is classified as malware by anti-malware applications ...
It is. MalwareBytes deletes it.
Score: 5 Votes (Like | Disagree)
9
997440
121 months ago
More information on this issue from @thomasareed. He's unable to post here because he has less than 100 posts.

He wanted to let us "know that this new "XAgent" variant of Komplex has absolutely no relation to a MacKeeper exploit. The writer has conflated this variant with one specific older variant from 2015. As much as I'd like to be able to blame MacKeeper, that vulnerability was closed in 2015, and there's no indication whatsoever that MacKeeper is in any way involved with the "XAgent" variant."





(Mr. Reed works for Malwarebytes and codes Malwarebytes Anti-Malware for Mac. Prior to this he developed Adware Medic and wrote extensively about security matters, and other Mac matters, at thesafemac((dot))com.)
Score: 2 Votes (Like | Disagree)
Kajje Avatar
Kajje
121 months ago
Installation of that Mackeeper pest should be blocked on firmware level.
Score: 2 Votes (Like | Disagree)
Read All Comments

Popular Stories

Apple Card iPhone 16 Pro Feature

Apple Card Promo to Offer Free AirPods Pro 3

Friday May 15, 2026 8:59 am PDT by
Starting as early as next week, customers who sign up for an Apple Card at Apple's retail stores in the U.S. will receive $249 cash back when they purchase AirPods Pro 3, according to Bloomberg's Mark Gurman. The promotion has yet to be officially announced by Apple, so exact terms and conditions are not available at this time. AirPods Pro 3 are priced at $249 in the U.S., so customers who...
Read Full Article40 comments
Apple WWDC25 iOS 26 CarPlay Light mode 250609

Six Popular iPhone Apps Now Available on CarPlay

Thursday May 14, 2026 9:10 am PDT by
Apple's CarPlay system for accessing iPhone apps on a vehicle's dashboard screen has received six popular apps in recent weeks: ChatGPT, Perplexity, Grok, Google Meet, WhatsApp, and the indie artist streaming platform Audiomack. Make sure you have the latest version of each app and they will automatically appear on CarPlay. ChatGPT Starting with iOS 26.4, CarPlay supports voice-based...
Read Full Article29 comments
ipad mini 7 blue

OLED iPad Mini: Release Date, Pricing, and What to Expect

Thursday May 14, 2026 5:08 am PDT by
According to the latest rumors, Apple is close to launching its next-generation iPad mini. So what should we expect from the successor to the iPad mini 7 that Apple released over a year ago? Read on to find out. Processor and Performance Apple is working on a next-generation version of the iPad mini (codename J510/J511) that features the A19 Pro chip, according to information found in code...
Read Full Article87 comments