CrashStealer Proves Notarized Mac Malware Is Here
A Gatekeeper-cleared dropper and native C++ stealer raise the bar for defending developer Macs.
Mac developers have long treated Gatekeeper as a useful first filter. Unsigned junk gets a warning; notarized apps usually do not. CrashStealer is a reminder that the filter is only as good as the process behind the stamp.
Tracked by Jamf Threat Labs from a May sample through early-July in-the-wild use, this native C++ infostealer does not invent a new objective. It steals browser credentials, password-manager data, keychain secrets, and crypto wallet extensions. What matters is the packaging: a signed, Apple-notarized dropper that clears default checks, a payload that impersonates Apple’s own crash-reporting tooling, and client-side AES-GCM encryption before exfiltration. Commodity macOS stealers used to look like scripts with an app bundle glued on. This one looks like product work.
Delivery that assumes you trust the blue check
Initial access rides a disk image branded “Werkbit Setup.” Inside is Werkbit.app (executable veltod, bundle ID dev.golove.velto), signed with Developer ID Emil Grigorov (WWB7JA7AQV), hardened runtime enabled, stapled notarization ticket included. Even the DMG itself is signed, which is still uncommon in malicious campaigns. The lure site, werkbit.io, was registered in late June and gates the download behind a meeting PIN. That is not mass spam. It is a campaign that prefers the right visitor over volume.
On launch the dropper does not dump the payload from the DMG. It reaches GitHub first (mgothiclove/pkeys, file sys.cache), pulls a curl command, then fetches a multi-layer Base64 shell script from attacker infrastructure (endpoint-api-v1.com). That script downloads CrashReporter.dmg over cleartext HTTP into /tmp, mounts it quietly, stages the app under a hidden path (/tmp/.CrashReporter), strips and re-signs the payload ad hoc, registers it with Launch Services, and starts it in the background.
From a defender’s seat the chain is deliberate. The first hop is a trusted developer domain. The second hop is a short-lived shell script never left readable on disk. The payload that actually does the theft is not the notarized binary. Gatekeeper already said yes to the dropper. Everything after is cleanup and load.
Impersonation that blends into ordinary system noise
The payload presents as CrashReporter.app with Apple-like metadata and icon, plus a LaunchAgent named com.apple.crashreporter.helper. Re-signing after install rewrites signature data so the on-disk hash changes without touching the code. Persistence and appearance both lean on the same idea: look like something Apple already runs.
Before collection it shows a fake macOS password dialog. The password is checked locally with dscl. A wrong password gets a real-looking auth error and another prompt. A correct password unlocks the login keychain. That single social-engineering step converts a GUI click into access to Safari logins, Wi-Fi secrets, app passwords, certificates, and tokens.
Collection is broad and familiar to anyone who has watched the stealer ecosystem on Windows migrate to Mac:
- Chromium-family browsers (Chrome, Brave, Edge, Opera, Vivaldi and others) plus Firefox
- Roughly 80 cryptocurrency wallet extensions (MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, Exodus, Keplr, Solflare, and peers)
- Fourteen password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm
- Files under Documents and Downloads, with large media and installers skipped
Staged data is encrypted with AES-256-GCM (via Apple’s CommonCrypto in the analyses), packed into hidden ZIPs, and sent with libcurl to attacker infrastructure (one reported C2 IP is 179.43.166.242). Jamf and follow-on reporting also note control-flow flattening, encrypted strings, and layered anti-debugging. The point is not novelty of targets. It is operational hygiene: encrypt before ship, resist casual reverse engineering, keep the first stage looking legitimate.
Why this is not just another Atomic clone
Objectives overlap with Atomic (AMOS), MacSync, and Phexia. Implementation does not. Those families often lean on AppleScript droppers or thin Objective-C wrappers. CrashStealer is native C++ organized around an internal MacOSData class. Client-side AES-GCM before exfil is stronger packaging than the dump-and-POST pattern common in scripted stealers. Shared backend infrastructure and an operator panel, as reported by researchers, point at a multi-platform operation rather than a one-off experiment.
That pattern matches a wider shift through 2025–2026: macOS stealers closing the sophistication gap with Windows tooling. Detection volumes up. Build quality up. Notarization abuse is no longer theoretical. If an attacker can get a Developer ID and a stapled ticket, the user’s first visual cue is “this looks fine.” The second cue is a polished installer window telling them to right-click Open. Even when the binary would launch without that ritual, the instruction trains muscle memory.
What developers should actually change
Developer Macs are high-value endpoints. They hold SSH keys, cloud CLI tokens, CI secrets in password managers, browser sessions for production consoles, and sometimes wallet extensions for side projects or on-call crypto tooling. CrashStealer’s target list is almost a map of that surface.
Practical adjustments, ordered by leverage:
- Treat unexpected “setup” DMGs as hostile by default. A meeting PIN and a polished installer are social proof, not safety. Prefer vendor sites and package managers you already trust (
brew, official app stores, signed enterprise catalogs). - Do not type your login password into prompts you did not request. CrashStealer’s fake dialog is designed to feel like a system authorization. If you did not just install a known tool that needs admin rights, cancel and inspect.
- Inventory LaunchAgents and unexpected apps under
/tmpand hidden dirs. Names likecom.apple.crashreporter.helperand paths such as/private/tmp/.CrashReporterare hunting gold. Baseline legitimate LaunchAgents on managed fleets; alert on new agents with Apple-looking labels that are not from Apple packages. - Separate secrets from the daily browser. Password managers help until the vault unlocks on a compromised host. Prefer OS-level keychain access controls, hardware-backed keys (YubiKey / Secure Enclave flows) for SSH and cloud SSO, and short-lived credentials for CI. Browser wallet extensions on a work machine are an optional risk; if you do not need them there, remove them.
- Do not equate notarization with trust. Notarization means Apple’s automated checks did not reject the binary at submission time. It is not a behavioral guarantee. Enterprise controls (MDM allowlists, developer-ID restrictions, network egress policies) matter more once the first stage is signed.
- Watch for the infrastructure pattern. GitHub raw content as a first hop, short-lived decode-and-pipe shell stages, HTTP payload pulls to
/tmp, immediatecodesign --remove-signature/ ad-hoc re-sign, and libcurl POSTs of small encrypted archives are concrete detections. If your EDR only flags unsigned apps, this chain will walk past it.
For individuals without fleet tooling, the boring habits still work: keep macOS and browsers current, disable unused browser extensions, use a dedicated browser profile for admin consoles, and never run software that arrived via “here’s the PIN for the installer.” For teams, hunt the IOCs Jamf published (dropper team ID, bundle IDs, GitHub repo, staging domains, LaunchAgent name, staging path) and add process rules for dscl password validation paired with unexpected UI prompts from non-Apple parents.
The threat model shifted; the defaults did not
CrashStealer is not proof that macOS is “as bad as Windows.” It is proof that attackers who care about Mac developer and knowledge-worker machines will pay the cost of a Developer ID, a notarized front end, and a real C++ codebase. Gatekeeper still blocks a lot of low-effort junk. It does not block a careful operator with a signed dropper and a patient second stage.
If you only remember one thing: the trusted first binary may not be the thief. The thief may be the re-signed helper that appears after a password dialog you should never have answered. Adjust detections and habits for that split, or keep assuming the blue check means the story is over.
Sources & further reading
- New CrashStealer malware poses as Apple crash reporting tool — bleepingcomputer.com
- New macOS Stealer Mimics Apple's Crash-Reporting Framework to Steal Browser Credentials — cybersecuritynews.com
- CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks — thehackernews.com
- CrashStealer: C++ macOS Infostealer Posing as Crash Reporter — jamf.com
Emeka has spent over a decade tracking threat actors, vulnerability disclosures, and the evolving landscape of application security, bringing a sharp continent-spanning perspective to his reporting. He's known for translating dense CVE advisories into clear, actionable context that developers and security teams alike actually read.
Discussion 0
No comments yet
Be the first to weigh in.