Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
New macOS Malware Steals Browser Data via Fake Apple Tool

New macOS Malware Steals Browser Data via Fake Apple Tool

Posted on July 13, 2026 By CWS

A sophisticated new macOS infostealer, known as CrashStealer, has emerged, masquerading as Apple’s crash-reporting tool to siphon off browser credentials, cryptocurrency wallets, and password manager data. The malware encrypts and transfers the stolen information to a remote server, posing a significant threat to macOS users.

Discovery and Development

Security researchers at Jamf identified a questionable sample on VirusTotal in May 2026, which indicated an evolving infostealer. By July, the malware had advanced into active deployment, leading to it being officially tracked under the name CrashStealer. Unlike typical macOS stealers that use AppleScript or Objective-C, CrashStealer is crafted entirely in C++ with a unique internal structure, differentiating it from other malware families.

CrashStealer’s initial access vector involves a disk image titled ‘Werkbit Setup,’ containing an app bundle signed with a legitimate Developer ID and notarization ticket. This enables it to bypass Gatekeeper security on initial execution. This level of authenticity, including a signed disk image, is uncommon in malicious campaigns targeting macOS.

Technical Functionality and Targets

Upon activation, the malware retrieves an obfuscated shell script hosted on GitHub, decodes it, and downloads the main payload disguised as ‘CrashReporter.app.’ This application mimics Apple’s crash-reporting tool with a corresponding bundle identifier and icon. CrashStealer validates the user’s login credentials locally and unlocks the keychain before probing for installed security tools.

Its targets include Chromium-based browsers such as Chrome, Brave, and Edge, as well as Firefox, accessing credential stores and roughly 80 cryptocurrency wallet extensions. Additionally, it infiltrates 14 different password managers, including 1Password and LastPass, along with the user’s login keychain and system files.

Advanced Encryption and Persistence

CrashStealer employs AES-256-GCM encryption using Apple’s CommonCrypto framework to secure the collected data before packaging it into ZIP archives for exfiltration. This level of encryption is rare among macOS stealers, highlighting the professionalization of such malware. The inclusion of control-flow flattening and anti-debugging techniques further emphasizes its advanced operational security.

For persistence, the malware re-signs itself and installs a LaunchAgent named com.apple.crashreporter.helper, ensuring it remains active after system reboots. This persistence mechanism aligns with its Apple-impersonation strategy.

Researchers have connected CrashStealer to a broader multi-platform operation, suggesting it is not an isolated threat. This development signifies a growing sophistication in macOS infostealers, closing the technological gap with their Windows counterparts and escalating the need for robust cybersecurity measures.

To bolster your security operations, consider integrating advanced threat detection tools that can accelerate investigations and enhance your SOC’s capabilities.

Cyber Security News Tags:Apple, browser credentials, cryptocurrency wallets, cyber threat, Cybersecurity, Encryption, InfoStealer, macOS, Malware, password managers

Post navigation

Previous Post: MemGhost Attack Alters AI Memory with a Single Email
Next Post: CrashStealer Malware Bypasses macOS Gatekeeper

Related Posts

McGraw-Hill Data Breach Exposes 13.5 Million Users McGraw-Hill Data Breach Exposes 13.5 Million Users Cyber Security News
Iranian Hackers Breach FBI Director’s Email Iranian Hackers Breach FBI Director’s Email Cyber Security News
Metasploit Pro 5.0.0 Launches with Enhanced Security Features Metasploit Pro 5.0.0 Launches with Enhanced Security Features Cyber Security News
French Fintech Accounts Abused by Cybercriminals for Money Laundering French Fintech Accounts Abused by Cybercriminals for Money Laundering Cyber Security News
CISA Warns of Cisco Firewall 0-Day Vulnerabilities Actively Exploited in the Wild CISA Warns of Cisco Firewall 0-Day Vulnerabilities Actively Exploited in the Wild Cyber Security News
North Korean Hackers Target Developers via Mastra npm North Korean Hackers Target Developers via Mastra npm Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI ‘Intelligent Worm’ Threatens Cybersecurity Evolution
  • CISA Alerts on Vulnerabilities in Joomla Extensions
  • AI Systems Under Siege by Internet Scans: MCP Servers at Risk
  • AI-Powered Scripts Exploit Active Directory Vulnerabilities
  • Turla Hackers Exploit SharePoint Vulnerability in France

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI ‘Intelligent Worm’ Threatens Cybersecurity Evolution
  • CISA Alerts on Vulnerabilities in Joomla Extensions
  • AI Systems Under Siege by Internet Scans: MCP Servers at Risk
  • AI-Powered Scripts Exploit Active Directory Vulnerabilities
  • Turla Hackers Exploit SharePoint Vulnerability in France

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark