What is Xagent?

Xagent is the work of a cybercriminal organization APT28 (also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM), which has, with some level of official certainty, the official backing of the Russian government.

Since 2004, Fancy Bear has been allegedly responsible for attacks on the Democratic National Committee, the German parliament, NATO, European security organizations, French television stations, and even the White House. Make no mistake; this is a sophisticated, highly funded operation capable of causing serious cyber damage worldwide.

Numerous cybersecurity companies, the British Foreign & Commonwealth Office (FCO), and the United States Special Counsel — in an ongoing probe identifying Russian involvement in the US 2016 presidential elections — have noted that this group is either sponsored by the GRU (Russia’s main intelligence agency) or consists of at least two GRU cyber units, known as Unit 26165 and Unit 74455. Alongside more high-profile attacks, Fancy Bear consistently attacks organizations and governments, journalists, and media companies in countries near Russia, including those aligned with NATO and the European Union.

As part of these attacks, numerous pieces of malware have been unleashed online. Some of them are targeting Russian enemies. Others get loose in the wild as part of an ongoing cyber attack and are adapted by other cybercriminals for malicious aims.

Xagent is one piece of malware that is now roaming around online. However, it appears to have been used or even created for an attack on Ukrainian officers, apps that were designed to control the D-30 Howitzer artillery. According to initial reports, Xagent spyware took control of targeting systems, causing the destruction of 80% of Ukrainian D-30 Howitzers. That later proved incorrect, with the International Institute for Strategic Studies (IISS) confirming malware infections resulted in a loss of 15-20% of the D-30 Howitzers.

Is it a threat to macOS devices?

If Xagent was created for Android apps in 2014 to attack the Ukrainian military, it was later modified to attack Windows and macOS devices.

It is known to get into Mac and other devices through the downloader Komplex, with sophisticated methods that encourage people to download seemingly legitimate software. Within this, Xagent is bundled within the software packages. Included in those executables is a program known as C2furtively, which reads and understands the hardware, software, and apps someone uses to exploit those weaknesses as part of the data breach.

Once downloaded and when Xagent understands the systems, it harvests every useful piece of information it can find. From screenshots and keystrokes to passwords and iPhone backups, Xagent takes anything it can get and sends it all to the command-and-control (C&C) server.

Comparable to other viruses this sophisticated, most people with the Xagent malware won’t be aware of it. Fancy Bear is not known for making attacks obvious, including the software used in the attacks. However, it is possible to remove Xagent, either manually or with the help of software.


Removing Xagent manually

Finding out and removing Xagent is something that can be done manually. But take care to follow these steps exactly and only take applications to Trash that you’re sure are not part of another program you need.

  1. Open the Utilities folder.
  2. Locate and click on Activity Monitor (you can also do this through Spotlight Search or Siri).
  3. Within Activity Monitor, locate Xagent  or anything else that looks suspicious.
  4. Select the suspicious application and click Quit Process.
  5. Select Force Quit if it won’t close straight away.
  6. Now go to Applications.
  7. Search for the same application(s).
  8. Next, move these to the Trash.
  9. Empty the Trash.
  10. And finally, within System Settings > General, remove anything that looks suspicious from the Login items menu.

As we’ve outlined above, Xagent does not originate from your average cybercriminal setup. Manual removal is unfortunately not guaranteed to clear out every backdoor that it has created. It also means you run the risk of deleting an application you actually need. Instead, removing it safely and quickly, using an app you can trust — such as CleanMyMac X — often proves more effective.

Welcome to CleanMyMac

How to remove Xagent safely

CleanMyMac X is powerful adware, spyware, malware, and Trojan virus removal tool.

It is also an essential tool for improving the overall performance of your Mac. On average, users find they get back 62GB of space, ensuring that their devices run faster and smoother.

To remove a spyware virus this way, all you need to do is:

  1. Download CleanMyMac X (a free trial version is available).
  2. Open the app.
  3. Select Malware Removal.
  4. Click Scan to scan for infections.
  5. Click Remove to approve the deletion.
Malware scan in process

Xagent is malicious and dangerous. Created to attack an enemy military in a conflict that has sparked international outrage, this is not your typical spyware. Scanning for it and removing it is essential for keeping your Mac safe.