macOS Stealer Masquerades as Crash Reports to Steal Browser Data
Key Takeaways A new macOS infostealer, dubbed CrashStealer, is actively deployed and targets browser data, cryptocurrency wallets, password managers, and keychain contents. The malware mimics...
Key Takeaways
- A new macOS infostealer, dubbed CrashStealer, is actively deployed and targets browser data, cryptocurrency wallets, password managers, and keychain contents.
- The malware mimics Apple’s legitimate crash reporting utility, using a signed disk image and application bundle to bypass Gatekeeper.
- CrashStealer is notable for its native C++ implementation, client-side AES-256-GCM encryption, and anti-analysis techniques, indicating a professionalization of macOS malware development.
- Initial access often involves a disk image named “Werkbit Setup” containing a notarized application.
Sophisticated macOS Infostealer “CrashStealer” Masquerades as System Utility
A new and advanced macOS information stealer, identified as CrashStealer, has entered active deployment, meticulously designed to mimic Apple’s native crash reporting functionality. This C++-based malware is engineered to harvest a wide array of sensitive user data, including browser credentials, cryptocurrency wallet details, password manager vault information, and macOS keychain contents. Once collected, this data is encrypted and exfiltrated to a remote command-and-control server.
Table Of Content
Security researchers at Jamf first detected an early sample of what appeared to be an infostealer under development on VirusTotal in early May 2026. By July of the same year, in-the-wild detections confirmed the malware’s maturation and active use, leading researchers to formally name it CrashStealer.
Advanced Technical Underpinnings
Unlike many common macOS stealers, which often rely on AppleScript droppers or light Objective-C wrappers, CrashStealer stands out due to its complete implementation in native C++. The malware is built around an internal class named MacOSData, distinguishing it from other families like Atomic (AMOS), MacSync, and Phexia, despite sharing similar objectives in data theft.
The initial infection vector typically involves a disk image labeled “Werkbit Setup.” This DMG contains an application bundle that is signed with a valid Developer ID and includes a stapled notarization ticket. This sophisticated approach allows the malicious application to bypass Apple’s Gatekeeper security mechanism upon its first launch. Notably, even the disk image container itself is signed, a rare tactic in malicious DMG campaigns, further enhancing its legitimacy in the eyes of the operating system.
Upon execution, the dropper discreetly retrieves an obfuscated shell script from GitHub-hosted infrastructure. This script then decodes multiple layers of Base64-encoded commands to download the primary payload. The payload itself is disguised as “CrashReporter.app,” complete with Apple’s legitimate bundle identifier com.apple.crashreporter and an identical icon, reinforcing its impersonation of a system utility.
Extensive Data Collection Capabilities
Once active, CrashStealer performs a local validation of the victim’s login password using dscl, which enables it to unlock the keychain. It also profiles installed security tools before initiating its data collection routines. The scope of data targeted by CrashStealer is broad and comprehensive:
- Credential stores from Chromium-based browsers (Google Chrome, Brave, Microsoft Edge, Opera, Vivaldi) and Mozilla Firefox.
- Data from approximately 80 cryptocurrency wallet extensions across various ecosystems, including Ethereum, Solana, Cosmos, and TON.
- Information from 14 different password managers, such as 1Password, Bitwarden, and LastPass.
- The user’s login keychain and broader file system reconnaissance, specifically targeting “Documents” and “Downloads” folders.
This extensive data collection capability aligns with current trends observed in the macOS infostealer landscape, where cryptocurrency-focused credential theft has emerged as a primary objective for threat actors.
Operational Security and Anti-Analysis Measures
A key technical differentiator for CrashStealer is its robust operational security. The malware employs client-side AES-256-GCM encryption, leveraging Apple’s CommonCrypto framework to encrypt all staged data. This encrypted data is then packaged into ZIP archives and exfiltrated using libcurl. This level of encryption is uncommonly seen in more commodity, AppleScript-based stealers.
Furthermore, CrashStealer incorporates anti-analysis techniques such as control-flow flattening and layered anti-debugging checks. These measures indicate a growing professionalization among macOS malware developers, reflecting a broader industry trend where macOS threats are evolving from opportunistic scripts into more structured, business-like operations, as observed by researchers across the cybersecurity landscape.
For persistence across reboots, CrashStealer copies and re-signs itself ad hoc. It then installs a LaunchAgent named com.apple.crashreporter.helper, extending its Apple-impersonation theme into its persistence layer.
Jamf also linked the campaign to a live operator panel and additional infrastructure domains, suggesting that CrashStealer is likely part of a larger, multi-platform operation rather than an isolated, standalone tool.
The emergence of CrashStealer underscores the increasing sophistication of macOS infostealers, which are rapidly closing the technical gap with their Windows counterparts. Both the volume and technical complexity of macOS threats have demonstrated a sharp increase through 2025 and into 2026.
What You Should Do
- Exercise Caution with Downloads: Only download software from trusted and verified sources, such as the official App Store or reputable developer websites. Scrutinize disk images (.DMG files) and application bundles from unknown origins.
- Enable Gatekeeper and XProtect: Ensure macOS Gatekeeper is enabled to prevent unsigned or untrusted applications from running. Keep your macOS up to date to benefit from the latest XProtect definitions.
- Use Strong, Unique Passwords and Multi-Factor Authentication (MFA): Implement strong, unique passwords for all accounts, especially those protecting cryptocurrency wallets, password managers, and critical online services. Enable MFA wherever possible.
- Regularly Back Up Data: Maintain regular backups of important files and system data.
- Employ Endpoint Detection and Response (EDR): For organizations, deploy EDR solutions capable of detecting and responding to advanced macOS threats.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.