Published on July 14, 2026

New macOS malware steals passwords by posing as Apple’s crash-reporting tool


Severity

High

Detail

CrashStealer is a newly identified macOS information-stealing malware discovered by Jamf Threat Labs. It masquerades as Apple’s legitimate Crash Reporter utility to deceive users into revealing their login credentials. Initially observed in May while still under development, the malware was later detected in active attacks by early July, indicating it has transitioned into real-world deployment.

Unlike many common macOS stealers that rely on AppleScript or Objective-C, CrashStealer is developed in native C++, making it more sophisticated and harder to analyze. Once executed, it is capable of collecting login passwords, macOS Keychain data, browser credentials, password manager databases, cryptocurrency wallet information, and selected user files. The stolen data is encrypted using AES-256-GCM before being transmitted to a remote command-and-control (C2) server.

How?

The attack begins with a malicious disk image (DMG) named “Werkbit Setup”, which contains a seemingly legitimate application called Werkbit.app. The installer is digitally signed with a valid Apple Developer ID and notarized, allowing it to bypass macOS Gatekeeper security checks and appear trustworthy to users. After execution, the installer downloads additional payloads from a GitHub repository and a remote server. It then installs a fake CrashReporter application that closely resembles Apple’s legitimate crash-reporting utility.

The malware presents a fake macOS password prompt and verifies the entered password locally using the built-in dscl command. Once the correct credentials are obtained, CrashStealer unlocks the user’s login Keychain and begins collecting sensitive information, including:

  • Browser credentials from Chromium-based browsers and Firefox.
  • Cryptocurrency wallet data from popular wallet extensions such as MetaMask, Phantom, Trust Wallet, Coinbase Wallet, and Exodus.
  • Credentials stored in password managers including 1Password, Bitwarden, LastPass, Dashlane, and Keeper.
  • User files from common directories such as Documents and Downloads while avoiding large media files, installers, and executables.

The collected data is encrypted individually with AES-256-GCM, compressed into hidden ZIP archives, and exfiltrated to the attacker’s C2 server using libcurl.

To maintain persistence, CrashStealer copies itself to another directory, re-signs the copied binary with an ad hoc signature, and registers itself as a LaunchAgent named com.apple.crashreporter.helper, allowing it to execute automatically whenever the user logs in. The malware also incorporates anti-analysis techniques such as runtime string decryption, debugger detection, and control flow obfuscation to complicate reverse engineering.

Recommendations

Users should only download software from trusted and verified sources, such as the official developer’s website or the Mac App Store. Applications distributed through unfamiliar websites or requiring special meeting PINs should be treated with caution, even if they appear to be signed or notarized.

Users should carefully examine unexpected macOS password prompts before entering system credentials. If an authentication request appears immediately after launching an unfamiliar application, its legitimacy should be verified before proceeding.

Security solutions capable of detecting macOS malware should be deployed and kept up to date to identify malicious behavior that may bypass standard macOS security mechanisms. Organizations should also monitor for suspicious LaunchAgent registrations, unauthorized Keychain access, and unusual outbound network connections.

System administrators should regularly review indicators of compromise (IOCs) published by Jamf Threat Labs and incorporate them into endpoint detection, threat hunting, and incident response activities to identify potential infections at an early stage.

Source

https://www.helpnetsecurity.com/2026/07/14/crashstealer-macos-infostealer-password-theft