Cyber Security

CrashStealer macOS Malware Uses Anonymous Dropper to Pass Gatekeeper Checks

IRavie LakshmananJuly 13, 2026Endpoint Security / Cybercrime

Cybersecurity researchers have flagged a new macOS hack called CrashStealer capable of harvesting sensitive data from compromised systems.

Unlike other hackers built on AppleScript droppers or Objective-C based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs.

“It verifies the victim’s login password locally before harvesting, collects widely across browsers, cryptocurrency wallets, password managers, and keychains, encrypts what it collects with AES-GCM before filtering over libcurl, and persists by copying and re-signing,” said security researcher Thijs Xhaflaire in a report shared with The Hacker.

CrashStealer is said to be distributed using a signed and Apple-notarized dropper distributed as a disk image file called “Werkbit.app.” Because both the disk image and the binary are unwritten and have a valid developer ID (“Emil Grigorov (WWB7JA7AQV)”), it passes the Gatekeeper checks.

The disk image itself is from the domain “werkbit[.]io,” which was registered in June 2026. In an interesting twist, the download is gated behind the assembly pin, which means that the installer is offered only to those site visitors who arrive with the most correct code.

The discovery of additional domains and shared back-end infrastructure connected to the same endpoints in CrashStealer is part of a larger, multi-platform campaign.

Once installed, the disk image shows the user an installation setup screen instructing them to right-click the application and select “Open” to launch. Once started, the “veltod” user interface contacts the GitHub repository (“github.com/mgothiclove”) to find a file named “sys.cache.”

The file is then used to issue the curl command and pull a shell script, which acts as a downloader to download and stage the next payload (“CrashReporter.dmg”) and save it to the “/tmp” directory.

The malware, if used, establishes persistence as LaunchAgent, resists analysis, reveals the password and verifies the information entered in the field, unlocks the login using the verified password, lists the installed security tools and analysis, before continuing to collect browser data, crypto wallet extensions, password manager data, and keychain items.

The complete list of data collected is below –

  • Information from the Chromium family of browsers, including Google Chrome, Brave, Microsoft Edge, Opera and Opera GX, Vivaldi, Chromium, and Naver Whale
  • Over 80 crypto wallet extensions, including MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack
  • 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass and RoboForm
  • File from ~/Documents and ~/Downloads directory

The collected data is then packed into a ZIP archive and exported to a server controlled by the attacker (“179.43.166)[.]242).

“CrashStealer’s delivery chain shows real care: instead of an empty, unregistered payload, front-end operators attack with a signed and notarized dropper that clears the Gatekeeper before silently downloading, re-signing and opening the payload,” said Jamf.

“What sets it apart from the piracy crowd is less what we collect than how it’s built: AES-GCM client-side encryption of the collected files, and an emphasis on resisting analysis by including a control plane, encrypted strings and anti-debugging.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button