Back to Feed
MalwareJul 13, 2026

New CrashStealer malware poses as Apple crash reporting tool

New macOS malware, CrashStealer, impersonates Apple's crash reporter to steal credentials.

Summary

A new macOS information-stealing malware named CrashStealer has been observed in attacks, posing as Apple's legitimate crash reporting tool. It is delivered via a signed and Apple-notarized installer, allowing it to bypass macOS Gatekeeper. The malware targets credentials, keychain data, and numerous cryptocurrency wallet extensions, encrypting stolen data before exfiltration.

Full text

New CrashStealer malware poses as Apple crash reporting tool By Bill Toulas July 13, 2026 03:04 PM 0 A new macOS information-stealing malware called CrashStealer pretends to be Apple's crash-reporting tool to steal credentials, keychain data, and crypto wallets. Malware researchers started tracking the malware in May, when it appeared to still be in development, but observed it being used in attacks in early July. CrashStealer has a typical infostealer capability set that seems to focus on password managers and more than 80 crypto wallet extensions. Notarized malware dropper The CrashStealer infostealer's binary impersonates Apple's system component by taking the name ‘CrashReporter.app,’ in an attempt to evade users’ scrutiny and potentially security tools. Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’ and uses the legitimate tool’s icon and metadata to resemble the legitimate tool as much as possible. According to researchers at Jamf, a company that offers management and security solutions for Apple devices, the payload is delivered via a signed and Apple-notarized installer (“Werkbit Setup”). This allows it to bypass Gatekeeper, the built-in anti-malware on macOS, without any warnings. The signed dropperSource: Jamf Labs When launched, the malware displays a fake macOS password prompt to convince users that they are authorizing a legitimate system operation that requires administrator privileges. This password can unlock the user’s Keychain, which contains locally stored secrets and acts as macOS’s encrypted password vault, typically containing Safari logins, Wi-Fi passwords, application passwords, private cryptographic keys, certificates, and tokens. Password promptSource: Jamf Labs When the password is provided, the malware validates it locally using ‘dscl’ (Directory Service command-line). If it's incorrect, CrashStealer returns an authentication error, prompting the user to type it again. Apart from keychain data, Jamf's analysis indicates that CrashStealer also targets the following data: Browser credentials and cookies from Chromium-based browsers and Firefox 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, Exodus, Keplr, and Solflare 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm Files from user directories such as Documents and Downloads, while intentionally skipping large media files, installers, and system directories Before exfiltrating the stolen data, CrashStealer encrypts it using the AES-256-GCM algorithm, an unusually strong method for this type of operation, packages it into hidden ZIP archives, and uploads the compressed data to the command-and-control (C2) server using libcurl. Jamf researchers say that despite the overlap in objective with other infostealer families (e.g., Atomic, MacSync and Phexia), CrashStealer is distinct due to its client-side encryption mechanism and its native C++ implementation. Jamf did not share details about CrashStealer’s exact initial distribution method, but note that the first-stage payload (Werkbit Setup) is hosted on a fake software site registered in late June. Site delivering the CrashStealer loaderSource: Jamf Labs Downloading the payload is gated behind a meeting PIN, which indicates a campaign limited to visitors who provide the right code. Jamf researchers say that the CrashStealer campaign is a careful operation focused on stealth by using a signed and notarized malware dropper and a payload that re-signs itself for persistence. The purpose of the re-signing process is to rewrite the code-signature data in the binary, which causes the file to have a different hash despite the code remaining untouched. Jamf's report on CrashStealer shares an extensive set of indicators of compromise that includes the names and hashes for the malicious tools along with details about the delivery infrastructure and filesystem artifacts. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: SHub macOS infostealer variant spoofs Apple security updatesCritical SimpleHelp flaw exploited to deploy new stealer malwareSteam Workshop abused to spread malware via Wallpaper Engine appNew Shai-Hulud malware wave compromises 600 npm packagesPopular node-ipc npm package compromised to steal credentials

Indicators of Compromise

  • malware — CrashStealer

Entities

CrashReporter.app (product)Werkbit Setup (product)Jamf (vendor)