Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
CrashStealer Malware Bypasses macOS Gatekeeper

CrashStealer Malware Bypasses macOS Gatekeeper

Posted on July 13, 2026 By CWS

Cybersecurity experts have identified a novel threat to macOS users in the form of a new information stealer, CrashStealer. This malware is adept at exfiltrating sensitive data from affected devices, posing a significant threat to user security.

CrashStealer’s Unique Implementation

Unlike typical information stealers that leverage AppleScript or Objective-C, CrashStealer is uniquely implemented in native C++. This was disclosed by Jamf Threat Labs, which highlighted the malware’s capability to validate login credentials and collect data from browsers, cryptocurrency wallets, password managers, and keychain services. The stolen data is encrypted using AES-GCM and transmitted using libcurl, ensuring both security and persistence by re-signing itself.

Distribution and Execution Strategy

CrashStealer is disseminated via a notarized dropper, distributed as a disk image file named “Werkbit.app.” This file, along with its binary, carries a valid developer ID, allowing it to bypass macOS Gatekeeper checks. The file originates from the domain “werkbit[.]io,” registered in June 2026, and requires a specific meeting PIN for download, indicating a targeted distribution approach.

Upon mounting, users are prompted to execute the app, leading to the retrieval of a “sys.cache” file from a GitHub repository. This file facilitates further payload delivery by executing a script that downloads and stages an additional component named “CrashReporter.dmg,” stored in the “/tmp” directory.

Data Collection and Security Measures

Once deployed, CrashStealer establishes itself as a LaunchAgent, resisting analysis, and prompting for user credentials. It uses these credentials to access the login keychain, listing installed security tools before extracting data from browsers, cryptocurrency wallets, and password managers.

The malware targets credentials from browsers such as Google Chrome, Brave, and Microsoft Edge, as well as data from approximately 80 cryptocurrency wallet extensions and 14 password managers. The collected information is packaged into a ZIP archive, which is sent to a server controlled by the attacker.

Jamf notes that the sophistication of CrashStealer lies in its execution: it uses client-side AES-GCM encryption, control-flow flattening, encrypted strings, and anti-debugging techniques, setting it apart from other malicious software.

As cybersecurity threats continue to evolve, macOS users are advised to remain vigilant and ensure their systems are protected against such advanced threats. Continuous updates and security awareness are crucial to safeguarding sensitive information from malicious actors.

The Hacker News Tags:Apple, CrashStealer, Cybercrime, Cybersecurity, data theft, Encryption, Gatekeeper, information stealer, macOS, Malware, threat analysis

Post navigation

Previous Post: New macOS Malware Steals Browser Data via Fake Apple Tool
Next Post: Torq and Criminal IP Enhance SOC with Threat Intelligence

Related Posts

Hacktivist Surge: 149 DDoS Attacks Across 16 Nations Hacktivist Surge: 149 DDoS Attacks Across 16 Nations The Hacker News
Trojan VPNs Spread via SEO Poisoning, Microsoft Warns Trojan VPNs Spread via SEO Poisoning, Microsoft Warns The Hacker News
The Impact of Robotic Process Automation (RPA) on Identity and Access Management The Impact of Robotic Process Automation (RPA) on Identity and Access Management The Hacker News
Iranian Infy Hackers Reactivate C2 Servers After Internet Blackout Iranian Infy Hackers Reactivate C2 Servers After Internet Blackout The Hacker News
Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories The Hacker News
Starkiller Phishing Suite Evades MFA with Reverse Proxy Starkiller Phishing Suite Evades MFA with Reverse Proxy The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI ‘Intelligent Worm’ Threatens Cybersecurity Evolution
  • CISA Alerts on Vulnerabilities in Joomla Extensions
  • AI Systems Under Siege by Internet Scans: MCP Servers at Risk
  • AI-Powered Scripts Exploit Active Directory Vulnerabilities
  • Turla Hackers Exploit SharePoint Vulnerability in France

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI ‘Intelligent Worm’ Threatens Cybersecurity Evolution
  • CISA Alerts on Vulnerabilities in Joomla Extensions
  • AI Systems Under Siege by Internet Scans: MCP Servers at Risk
  • AI-Powered Scripts Exploit Active Directory Vulnerabilities
  • Turla Hackers Exploit SharePoint Vulnerability in France

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark