Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Australian Cyber Agency Warns of Global CMS Exploitation Campaign

July 14, 2026

New MacOS Malware Exploits Legitimate Developer ID

July 14, 2026

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

July 14, 2026
Facebook X (Twitter) Instagram
Tuesday, July 14
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»New MacOS Malware Exploits Legitimate Developer ID
News

New MacOS Malware Exploits Legitimate Developer ID

Team-CWDBy Team-CWDJuly 14, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A new form of malware is targeting macOS users by impersonating Apple’s built-in crash-reporting component to trick victims into installing a password-stealing payload.

As detailed by Jamf Threat Labs, CrashStealer is a macOS infostealer designed to harvest login details, cryptocurrency wallets and any other data stored on the system or in the browser.

Written in C++, CrashStealer was first detected in early July. It is delivered through a disk image that impersonates Apple’s built-in crash-reporting component.

The initial way the CrashStealer attack chain begins has not been detailed, but during at least the second stage of the attack, the user is directed to a signed and Apple-notarized dropper, distributed as a disk image named “Werkbit Setup.”

Crucially, this disk image is signed with a valid Apple developer ID and a notarization ticket, which enables it to clear Apple Gatekeeper, the macOS security feature designed to prevent malware execution on first launch.

The user is encouraged to run an application, which looks convincingly like a legitimate software installer. If the user does run the installation, the application reaches out to a GitHub API, which decodes a jumbled script, which after it is decoded becomes a downloader-installer that fetches the CrashStealer payload.

Researchers noted that this process is helped along by how the disk image exploits an application bundle which has been designed to impersonate Apple’s built-in crash-reporting component, further helping the malware to evade detection.

Stealing Login Credentials

Once installed, the infostealer displays a native password prompt styled to resemble a genuine macOS authorization request. This is an effort by the attackers to ensure that they have stolen the correct system login credentials for the machine.

With this confirmed, CrashStealer moves towards its true goal: stealing usernames, passwords and any other credentials stored in the browser, as well as stealing logins for cryptocurrency wallets, password managers and other keychain data that provides them with access to accounts.

“CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload,” Thijs Xhaflaire, senior threat and detections researcher at Jamf Threat Labs, said in a blog posted, published on July 13.

“What sets it apart from the commodity stealer crowd is less what it collects than how it is built: client-side AES-GCM encryption of the collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings and layered anti-debugging,” he added.

Researchers note that while CrashStealer appears to have some overlaps with other forms of MacOS malware such as Atomic (AMOS), and MacSync its native C++ implementation and client-side encryption set it apart as a different variant of malware.

After confirming that a Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported it to Apple.  Infosecurity has also contacted Apple for comment.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleSCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
Next Article Australian Cyber Agency Warns of Global CMS Exploitation Campaign
Team-CWD
  • Website

Related Posts

News

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

July 14, 2026
News

Lidl Notifies Customers of Third-Party Data Breach

July 14, 2026
News

GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code

July 14, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Here’s how to avoid a ‘second strike’

April 11, 2026

Chronology of a Skype attack

February 5, 2026

‘What happens online stays online’ and other cyberbullying myths, debunked

September 11, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.