CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper

New macOS infostealer CrashStealer uses a signed app to bypass Gatekeeper, steals credentials and wallets, then AES-encrypts stolen data.

Jamf Threat Labs first spotted CrashStealer in early May 2026 as a suspicious macOS sample uploaded to VirusTotal. By early July, in-the-wild detections confirmed the malware had moved from development into active deployment. The malware is written in native C++, impersonates Apple’s built-in crash-reporting framework, and encrypts everything it collects before sending it out. Most commodity macOS stealers are thin AppleScript wrappers or lightweight Objective-C tools. This one isn’t.

The initial access arrives through a disk image called “Werkbit Setup,” which contains a single application named Werkbit.app. That app is signed with a valid Apple Developer ID, Emil Grigorov (WWB7JA7AQV), and carries a notarization ticket, meaning it clears Gatekeeper on first launch without any warning.

The domain werkbit[.]io, which serves the installer, was registered in late June 2026, and access to the download is gated behind a meeting PIN so the malicious installer isn’t visible to casual visitors.

“We have since identified the stage that precedes the payload: a signed and Apple-notarized dropper, distributed as a disk image named “Werkbit Setup,” that retrieves the CrashStealer payload from attacker infrastructure and launches it.” reads the report published by Jamf. “Because the dropper carries a valid Developer ID and a stapled notarization ticket, it clears Gatekeeper on first launch, in contrast to the ad-hoc-signed payload it installs.”

When the victim opens Werkbit.app, it queries the GitHub API and fetches a file called sys.cache from a repository at mgothiclove/pkeys. That file contains the curl command the dropper runs next, pulling a shell script from endpoint-api-v1[.]com. The script isn’t written to disk in readable form: it arrives as a series of Base64-encoded blobs decoded at runtime before being piped directly to bash.

“The script downloads the payload disk image over cleartext HTTP from hxxp://endpoint-api-v1[.]com/d/f1b24e/download, retrying up to three times, and saves it as CrashReporter.dmg in /tmp.” continues the report. “It mounts the image without browsing or verification (hdiutil attach -nobrowse -noverify -noautoopen -quiet), copies the first .app bundle it finds into a hidden directory at /tmp/.CrashReporter, then detaches the image and deletes the downloaded .dmg. “

The dropper then strips the payload’s existing signature and re-signs it ad-hoc before launching it from that hidden /tmp path. An application bundle launching from a hidden directory under /private/tmp is an unusual and high-confidence indicator on its own.

The downloaded disk image contains CrashReporter.app, which carries the bundle identifier com.apple.crashreporter and an icon designed to look like Apple’s built-in crash-reporting component. The Info.plist contains the C2 address, 179.43.166.242, hardcoded as an App Transport Security exception, visible in cleartext.

“This is likely a byproduct of the authors’ test setup, as it would let an operator reach the C2 regardless of how the server is configured. The reliable takeaway is for defenders: the C2 address sits in the property list in cleartext.” continues the report. “This ATS exception appears in the earlier samples we identified but not in the more recent ones, which omit it.”

Later samples drop this exception, suggesting the operator has since moved to a properly configured TLS endpoint and no longer needs to relax Apple’s network security policy.

The TCC usage-description strings in Info.plist are also worth reading carefully. The malware requests full disk access under the framing “CrashReporter requires Full Disk Access for system administration,” alongside permissions for Desktop, Documents, Downloads, and removable volumes. These strings pre-populate whatever macOS shows the victim in the permission prompt, and the Desktop, Documents, Downloads description matches exactly where the file-search component later walks.

After launch, the malware shows a native macOS password prompt and validates whatever the user enters by calling dscl, a legitimate Apple directory-service utility, with the -authonly option. It loops until a correct password is supplied, then caches the validated credential in ~/.cache/.sys_auth with permissions set to 600. That password is immediately reused to unlock the login keychain via Apple’s own security command-line tool.

Collection is broad. The malware targets Chromium-based browsers including Chrome, Brave, Edge, Opera, Vivaldi, and others, Firefox credential stores, approximately 80 cryptocurrency wallet browser extensions including MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, and Exodus, and 14 password managers including 1Password, Bitwarden, LastPass, Dashlane, and KeePassXC. It also runs a file searcher across ~/Documents and ~/Downloads that skips executables, disk images, large archive formats, and media files to keep the collected set small and relevant. The login keychain copy and the validated account password end up in the same staging area as everything else.

What distinguishes CrashStealer from most macOS stealers is what happens to the data before it leaves the machine.

“The encryption is authenticated and reasonably modern. Each item is encrypted with AES-256-GCM through Apple’s CommonCrypto, following the standard sequence of creating a cryptor (CCCryptorCreateWithMode), setting an initialization vector (CCCryptorGCMSetIV), encrypting (CCCryptorGCMEncrypt), and finalizing the authentication tag (CCCryptorGCMFinal).” states the report.”The 32-byte key is derived with PBKDF2-HMAC-SHA256 over 10,000 iterations (CCKeyDerivationPBKDF), using a passphrase together with a salt.”

The salt is hardcoded in the sample, labeled panel_salt_v1, and a nearby cleartext development string reads “using fallback salt — set CONFIG_CRYPTO_SALT for production,” confirming the operator intended this to be configurable and shipped a development default. The collected files are then zipped into hidden archives with a .zx_ prefix followed by eight random hex characters under ~/.cache/com.apple.crashreporter/. The stealer removes the staging directories after archiving but leaves the .zx_.zip archives behind, making them a reliable artifact for defenders to hunt for.

CrashStealer persists by copying itself to ~/Library/Caches/com.apple.crashreporter/CrashReporter.app, re-signing the copy ad-hoc, and installing a LaunchAgent at ~/Library/LaunchAgents/com.apple.crashreporter.helper.plist. The label is com.apple.crashreporter.helper, continuing the Apple impersonation into the persistence layer. KeepAlive is set with SuccessfulExit as false, meaning launchd restarts the process whenever it exits with an error, keeping it resident across reboots.

Anti-analysis measures include control-flow flattening applied broadly across functions, runtime decryption of sensitive strings from an encrypted blob in the binary’s __const section, and layered anti-debugging.

“A constructor that runs before main, during dynamic-linker initialization, uses sysctl with a KERN_PROC / P_TRACED query, the standard macOS debugger check, and terminates with exit code 45 if one is attached, before any malicious behavior runs.” states Jamf. “Patching out that first check is not enough on its own: a second check later in application initialization exits the same way.”

The delivery domain also hosts a dark-themed operator panel at endpoint-api-v1[.]com/login labeled “Command Panel,” independently spotted by MalwareHunterTeam.

Additional operator interfaces tied to the same campaign have been identified at cohezo[.]io, cohezo[.]com, and cordinex[.]io. Jamf reported the Developer Team ID to Apple after confirming it was used to distribute the malicious dropper.

“CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload.” concludes the report.”What sets it apart from the commodity stealer crowd is less what it collects than how it is built: client-side AES-GCM encryption of the collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings and layered anti-debugging.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter