Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
macOS Stealer Masquerades as Crash Reports to Steal Browser Data
July 13, 2026
Turla Hackers Exploit Critical SharePoint Flaw to Access French Accounts
July 13, 2026
Internet Scans Target Exposed AI Models, Claude Credentials, and MCP Servers
July 13, 2026
Home/CyberSecurity News/macOS Stealer Masquerades as Crash Reports to Steal Browser Data
CyberSecurity News

macOS Stealer Masquerades as Crash Reports to Steal Browser Data

Key Takeaways A new macOS infostealer, dubbed CrashStealer, is actively deployed and targets browser data, cryptocurrency wallets, password managers, and keychain contents. The malware mimics...

Jennifer sherman
Jennifer sherman
July 13, 2026 4 Min Read
3 0

Key Takeaways

  • A new macOS infostealer, dubbed CrashStealer, is actively deployed and targets browser data, cryptocurrency wallets, password managers, and keychain contents.
  • The malware mimics Apple’s legitimate crash reporting utility, using a signed disk image and application bundle to bypass Gatekeeper.
  • CrashStealer is notable for its native C++ implementation, client-side AES-256-GCM encryption, and anti-analysis techniques, indicating a professionalization of macOS malware development.
  • Initial access often involves a disk image named “Werkbit Setup” containing a notarized application.

Sophisticated macOS Infostealer “CrashStealer” Masquerades as System Utility

A new and advanced macOS information stealer, identified as CrashStealer, has entered active deployment, meticulously designed to mimic Apple’s native crash reporting functionality. This C++-based malware is engineered to harvest a wide array of sensitive user data, including browser credentials, cryptocurrency wallet details, password manager vault information, and macOS keychain contents. Once collected, this data is encrypted and exfiltrated to a remote command-and-control server.

Table Of Content

  • Key Takeaways
  • Sophisticated macOS Infostealer “CrashStealer” Masquerades as System Utility
  • Advanced Technical Underpinnings
  • Extensive Data Collection Capabilities
  • Operational Security and Anti-Analysis Measures
  • What You Should Do

Security researchers at Jamf first detected an early sample of what appeared to be an infostealer under development on VirusTotal in early May 2026. By July of the same year, in-the-wild detections confirmed the malware’s maturation and active use, leading researchers to formally name it CrashStealer.

Advanced Technical Underpinnings

Unlike many common macOS stealers, which often rely on AppleScript droppers or light Objective-C wrappers, CrashStealer stands out due to its complete implementation in native C++. The malware is built around an internal class named MacOSData, distinguishing it from other families like Atomic (AMOS), MacSync, and Phexia, despite sharing similar objectives in data theft.

The initial infection vector typically involves a disk image labeled “Werkbit Setup.” This DMG contains an application bundle that is signed with a valid Developer ID and includes a stapled notarization ticket. This sophisticated approach allows the malicious application to bypass Apple’s Gatekeeper security mechanism upon its first launch. Notably, even the disk image container itself is signed, a rare tactic in malicious DMG campaigns, further enhancing its legitimacy in the eyes of the operating system.

Upon execution, the dropper discreetly retrieves an obfuscated shell script from GitHub-hosted infrastructure. This script then decodes multiple layers of Base64-encoded commands to download the primary payload. The payload itself is disguised as “CrashReporter.app,” complete with Apple’s legitimate bundle identifier com.apple.crashreporter and an identical icon, reinforcing its impersonation of a system utility.

Extensive Data Collection Capabilities

Once active, CrashStealer performs a local validation of the victim’s login password using dscl, which enables it to unlock the keychain. It also profiles installed security tools before initiating its data collection routines. The scope of data targeted by CrashStealer is broad and comprehensive:

  • Credential stores from Chromium-based browsers (Google Chrome, Brave, Microsoft Edge, Opera, Vivaldi) and Mozilla Firefox.
  • Data from approximately 80 cryptocurrency wallet extensions across various ecosystems, including Ethereum, Solana, Cosmos, and TON.
  • Information from 14 different password managers, such as 1Password, Bitwarden, and LastPass.
  • The user’s login keychain and broader file system reconnaissance, specifically targeting “Documents” and “Downloads” folders.

This extensive data collection capability aligns with current trends observed in the macOS infostealer landscape, where cryptocurrency-focused credential theft has emerged as a primary objective for threat actors.

Operational Security and Anti-Analysis Measures

A key technical differentiator for CrashStealer is its robust operational security. The malware employs client-side AES-256-GCM encryption, leveraging Apple’s CommonCrypto framework to encrypt all staged data. This encrypted data is then packaged into ZIP archives and exfiltrated using libcurl. This level of encryption is uncommonly seen in more commodity, AppleScript-based stealers.

Furthermore, CrashStealer incorporates anti-analysis techniques such as control-flow flattening and layered anti-debugging checks. These measures indicate a growing professionalization among macOS malware developers, reflecting a broader industry trend where macOS threats are evolving from opportunistic scripts into more structured, business-like operations, as observed by researchers across the cybersecurity landscape.

For persistence across reboots, CrashStealer copies and re-signs itself ad hoc. It then installs a LaunchAgent named com.apple.crashreporter.helper, extending its Apple-impersonation theme into its persistence layer.

Jamf also linked the campaign to a live operator panel and additional infrastructure domains, suggesting that CrashStealer is likely part of a larger, multi-platform operation rather than an isolated, standalone tool.

The emergence of CrashStealer underscores the increasing sophistication of macOS infostealers, which are rapidly closing the technical gap with their Windows counterparts. Both the volume and technical complexity of macOS threats have demonstrated a sharp increase through 2025 and into 2026.

What You Should Do

  • Exercise Caution with Downloads: Only download software from trusted and verified sources, such as the official App Store or reputable developer websites. Scrutinize disk images (.DMG files) and application bundles from unknown origins.
  • Enable Gatekeeper and XProtect: Ensure macOS Gatekeeper is enabled to prevent unsigned or untrusted applications from running. Keep your macOS up to date to benefit from the latest XProtect definitions.
  • Use Strong, Unique Passwords and Multi-Factor Authentication (MFA): Implement strong, unique passwords for all accounts, especially those protecting cryptocurrency wallets, password managers, and critical online services. Enable MFA wherever possible.
  • Regularly Back Up Data: Maintain regular backups of important files and system data.
  • Employ Endpoint Detection and Response (EDR): For organizations, deploy EDR solutions capable of detecting and responding to advanced macOS threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Turla Hackers Exploit Critical SharePoint Flaw to Access French Accounts

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Debian 13 Trixie Released With Security Updates
July 13, 2026
iPhone, MacBook Forensics Expose £113,000 Property Fraud
July 13, 2026
CISA warns of Joomla iCagenda, Balbooa flaws exploited in attacks
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us