Search...

New “CrashStealer” malware targets macOS users discovered

A newly identified information-stealing malware known as “CrashStealer” has been found impersonating Apple’s built-in crash-reporting framework on macOS in order to obtain users’ confidential information.

Developed entirely in the C++ programming language, the malware is designed to collect usernames and passwords stored in web browsers, cryptocurrency wallet data, information maintained by password managers, contents of the macOS Keychain service and other sensitive files. Once collected, the data is encrypted and transmitted to a remote command-and-control server.

The attack begins with the delivery of a disk image named “Werkbit Setup”. The disk image contains an application bundle signed with a legitimate Developer ID certificate and accompanied by a stapled notarization ticket. This enables the application to bypass the macOS Gatekeeper security mechanism when launched for the first time.

 

posts/2026/07/hbJz9y2KvALXLWscIkTgnLlfptTRBJLGOlltleAD.jpg

 

After the application is executed, the initial loader retrieves a shell script hosted on GitHub infrastructure. Once several layers of Base64 encoding have been decoded, the script downloads the primary malicious payload onto the system. To impersonate Apple’s crash-reporting utility, the payload is presented as “CrashReporter.app” and uses the com.apple.crashreporter bundle identifier together with a corresponding application icon.

The information targeted by the malware includes data stored in browsers such as Google Chrome, Brave, Microsoft Edge, Opera and Vivaldi, as well as Mozilla Firefox. In addition, CrashStealer targets approximately 80 cryptocurrency wallet extensions associated with Ethereum, Solana, Cosmos, TON and other blockchain ecosystems. The malware also collects data from 14 password managers, including 1Password, Bitwarden and LastPass. The user’s login Keychain file and documents stored in the “Documents” and “Downloads” directories are likewise included within its collection scope.

One of the main technical characteristics distinguishing CrashStealer is its encryption of collected data before exfiltration. For this purpose, the malware employs the AES-256-GCM encryption algorithm through Apple’s CommonCrypto framework. Following encryption, the data is packaged into ZIP archives and transmitted to a remote command-and-control server via the libcurl library.

To establish persistence on the compromised system, the malware creates a copy of itself, re-signs the file using an ad hoc signature and installs a LaunchAgent under the label com.apple.crashreporter.helper. This mechanism enables CrashStealer to launch automatically even after the system has been restarted.

The malware also employs control-flow obfuscation, mechanisms designed to complicate the analysis process and multilayered checks intended to detect debugging and analysis tools.

 

posts/2026/07/SbWWzpJHo72ekImkrJBDgL0wCfmrczXfs4cxfLHw.png

© 2011-2026 All rights reserved