A sophisticated new macOS infostealer, known as CrashStealer, has emerged, masquerading as Apple’s crash-reporting tool to siphon off browser credentials, cryptocurrency wallets, and password manager data. The malware encrypts and transfers the stolen information to a remote server, posing a significant threat to macOS users.
Discovery and Development
Security researchers at Jamf identified a questionable sample on VirusTotal in May 2026, which indicated an evolving infostealer. By July, the malware had advanced into active deployment, leading to it being officially tracked under the name CrashStealer. Unlike typical macOS stealers that use AppleScript or Objective-C, CrashStealer is crafted entirely in C++ with a unique internal structure, differentiating it from other malware families.
CrashStealer’s initial access vector involves a disk image titled ‘Werkbit Setup,’ containing an app bundle signed with a legitimate Developer ID and notarization ticket. This enables it to bypass Gatekeeper security on initial execution. This level of authenticity, including a signed disk image, is uncommon in malicious campaigns targeting macOS.
Technical Functionality and Targets
Upon activation, the malware retrieves an obfuscated shell script hosted on GitHub, decodes it, and downloads the main payload disguised as ‘CrashReporter.app.’ This application mimics Apple’s crash-reporting tool with a corresponding bundle identifier and icon. CrashStealer validates the user’s login credentials locally and unlocks the keychain before probing for installed security tools.
Its targets include Chromium-based browsers such as Chrome, Brave, and Edge, as well as Firefox, accessing credential stores and roughly 80 cryptocurrency wallet extensions. Additionally, it infiltrates 14 different password managers, including 1Password and LastPass, along with the user’s login keychain and system files.
Advanced Encryption and Persistence
CrashStealer employs AES-256-GCM encryption using Apple’s CommonCrypto framework to secure the collected data before packaging it into ZIP archives for exfiltration. This level of encryption is rare among macOS stealers, highlighting the professionalization of such malware. The inclusion of control-flow flattening and anti-debugging techniques further emphasizes its advanced operational security.
For persistence, the malware re-signs itself and installs a LaunchAgent named com.apple.crashreporter.helper, ensuring it remains active after system reboots. This persistence mechanism aligns with its Apple-impersonation strategy.
Researchers have connected CrashStealer to a broader multi-platform operation, suggesting it is not an isolated threat. This development signifies a growing sophistication in macOS infostealers, closing the technological gap with their Windows counterparts and escalating the need for robust cybersecurity measures.
To bolster your security operations, consider integrating advanced threat detection tools that can accelerate investigations and enhance your SOC’s capabilities.
