Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Engineering The Internet For Resilience

July 18, 2026

CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

July 18, 2026

Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

July 18, 2026
Facebook X (Twitter) Instagram
Saturday, July 18
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks
News

CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

Team-CWDBy Team-CWDJuly 18, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that’s capable of harvesting sensitive data from compromised systems.

Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs.

“It validates the victim’s login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself,” security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

CrashStealer is said to be distributed by means of a signed and Apple-notarized dropper that’s distributed as a disk image file named “Werkbit.app.” Because both the disk image and binary are notarized and carry a valid developer ID (“Emil Grigorov (WWB7JA7AQV)”), it passes Gatekeeper checks.

The disk image itself originates from the domain “werkbit[.]io,” which was registered in June 2026. In an interesting twist, the download is gated behind a meeting PIN, meaning the installer is served only to those site visitors who arrive with the right code rather than everyone.

The discovery of additional domains and shared backend infrastructure tied to the same operation points to CrashStealer being part of a larger, multi-platform campaign.

Once mounted, the disk image presents the user with an installation setup screen that instructs them to right-click the app and choose “Open” to get them to run it. Once launched, the “veltod” executable contacts a GitHub repository (“github.com/mgothiclove”) to retrieve a file named “sys.cache.”

The file is then used to extract a curl command and pull a shell script, which acts as a downloader to fetch and stage the next payload (“CrashReporter.dmg”) and saves it to the “/tmp” directory.

The malware, upon execution, establishes persistence as a LaunchAgent, resists analysis, presents a password prompt and validates the entered credential locally, unlocks the login keychain using the validated password, lists installed security and analysis tooling, before proceeding to collect browser data, cryptocurrency wallet extensions, password manager data, and keychain material.

The complete list of data harvested is below –

  • Credentials from Chromium-family browsers, including Google Chrome, Brave, Microsoft Edge, Opera and Opera GX, Vivaldi, Chromium, and Naver Whale
  • Roughly 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack
  • 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass and RoboForm
  • Files from ~/Documents and ~/Downloads directories

The harvested data is then packaged into a ZIP archive and exfiltrated to an attacker-controlled server (“179.43.166[.]242”).

“CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload,” Jamf said.

“What sets it apart from the commodity stealer crowd is less what it collects than how it is built: client-side AES-GCM encryption of the collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings and layered anti-debugging.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleGoogle and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found
Next Article Engineering The Internet For Resilience
Team-CWD
  • Website

Related Posts

News

Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

July 18, 2026
News

ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More

July 18, 2026
News

23andMe Faces New Security Mandates in $18m Data Breach Settlement

July 17, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Is it OK to let your children post selfies online?

February 17, 2026

Here’s how to avoid a ‘second strike’

April 11, 2026

Why cybercriminals want to break into your email account

June 29, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.