XLoader malware rises again on macOS disguised as ‘OfficeNote’ app

A close up of a person's hands on a Macbook keyboard with a red exclamation mark overlaid
(Image credit: Getty Images)

MacOS users are being targeted by a new malware variant disguised as a signed productivity application called ‘OfficeNote’. 

The malware is a new version of XLoader, an infostealer, and botnet that has been lurking on various platforms for years. It was spotted on macOS in 2021 in Java form. 

Apple has since stopped shipping the Java Runtime Environment by default, thus limiting the attack surface. However, XLoader has responded and returned as a native application that looks very much like an office productivity app. 

A user could easily be duped into downloading ‘OfficeNote’ thanks to its branding, which bears a distinct resemblance to Microsoft’s Office productivity suite. Researchers at SentinelOne also noted that the application, bundled inside a standard Apple disk image, had been signed on July 17, 2023 - although Apple has since revoked the signature. 

Attempting to execute ‘OfficeNote’ generates an error. However, in the background, the malware drops its payload and installs a persistence agent. Once up and running, the payload attempts to steal clipboard data, as well as browser information if the victims are using Firefox or Chrome – researchers say the malware seems to be ignoring Safari. 

Researchers also noted that the malware appears to have been widely distributed, with multiple submissions appearing on VirusTotal throughout July 2023. The Mac version is also being offered on crimeware forums for rental at $199 per month - or $299 for three months - a substantial premium over Windows variants of XLoader, which start at $59 per month. 

Despite the revocation of the signature, SentinelOne’s researchers stated that “Apple’s malware blocking tool, XProtect, does not have a signature to prevent execution of this malware at the time of writing”. 


Whitepaper cover: Advancing your risk management maturity, with image of colleagues chatting in an office

(Image credit: ServiceNow)

Discover the five key stages that will help you achieve a how successful maturity journey.


While XLoader has long been a threat, this new variant, and its productivity disguise, is a clear indicator that threat actors are targeting macOS business users in particular. 

Researchers said: “This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment”. 

Apple hardware has continued to be targeted during 2023, with versions of the LockBit encryptor targeting machines using Apple Silicon turning up in April and new spyware threats identified in July. Recent research from Proofpoint also showed the speed with which threat actors could port Windows malware to macOS in an effort to thwart security controls.

A recent report from Malwarebytes also noted that, although still rare, Mac malware was on the rise. In July, Michael Covington, VP of portfolio strategy at Jamf, told ITPro that “attacks against Apple devices were changing, both in terms of intensity and purpose”.

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.