CrashStealer Malware Impersonates Apple App to Steal Mac Passwords
A new macOS infostealer, CrashStealer, uses a notarized installer and mimics Apple's CrashReporter to trick users into revealing administrator passwords, enabling theft of sensitive data from Keychain and other applications.

A sophisticated new malware strain targeting macOS users, dubbed CrashStealer, has been identified by researchers. This infostealer operates by impersonating Apple's legitimate CrashReporter component, employing a deceptive strategy to bypass security measures and gain user trust. By adopting the name "CrashReporter.app" and utilizing the familiar icon and metadata associated with Apple's system tools, the malware aims to appear as a harmless diagnostic utility.
Further enhancing its stealth, CrashStealer leverages an Apple-notarized installer. Notarization is a security process where Apple automatically scans applications for known malware. While this process doesn't guarantee an application is benign, it significantly reduces the likelihood of Gatekeeper, macOS's built-in security feature, flagging the software as malicious. Attackers have exploited this trust mechanism, using notarized installers to slip past initial defenses.
The distribution method for CrashStealer is also noteworthy, involving a fake software website that requires a meeting PIN for access. This suggests a targeted, potentially invitation-only campaign rather than a widespread, indiscriminate attack. The installer, named "Werkbit Setup," is designed to lure unsuspecting users into a false sense of security before initiating its malicious payload.
Once executed, CrashStealer presents users with a fake macOS password prompt that closely resembles legitimate system requests for administrator privileges. When a user enters their password, the malware captures it. This stolen administrator password is then used to unlock and access the macOS Keychain, a secure vault that stores passwords, security certificates, and other sensitive credentials for various applications and services.
Beyond Keychain data, CrashStealer systematically exfiltrates a wide range of sensitive information. This includes credentials and cookies from web browsers, data from cryptocurrency wallet extensions, information stored by password managers, and even small files found in common user directories. The collected data is then encrypted using AES encryption before being transmitted to a command and control (C2) server operated by the attackers.
Researchers have been tracking the development of CrashStealer since May 2026, indicating a persistent and evolving threat. The malware's ability to bypass Gatekeeper through notarization and its sophisticated social engineering tactics highlight the ongoing challenges in securing macOS environments.
This incident serves as a stark reminder that macOS is a prime target for credential-stealing operations. While security features like notarization and Gatekeeper offer valuable layers of protection, they are not infallible. Users must remain vigilant, practice cautious behavior, and employ layered security defenses, including reputable security software and regular system updates, to mitigate the risks posed by evolving threats like CrashStealer.