New macOS Stealer 'CrashStealer' Mimics Apple's Crash Reporter to Steal Sensitive Data
A sophisticated new macOS infostealer, dubbed CrashStealer, has emerged, impersonating Apple's legitimate crash-reporting utility to pilfer browser credentials, cryptocurrency wallets, and password manager data.

A newly identified native C++ macOS infostealer, named CrashStealer, is actively targeting users by masquerading as Apple's built-in crash-reporting utility. Its primary objective is to steal sensitive information, including browser credentials, cryptocurrency wallets, password manager data, and contents of the macOS keychain, before encrypting and exfiltrating the harvested data to a remote command-and-control (C2) server. Security researchers first observed a preliminary sample in early May 2026, but by July, the malware had evolved into active deployment, prompting its formal tracking.
What sets CrashStealer apart from many other macOS stealers is its development in native C++. Unlike common threats built on simpler scripting languages, CrashStealer utilizes a robust internal class, 'MacOSData,' indicating a more professionalized approach to malware development. This technical sophistication places it in a similar category to advanced macOS malware families, despite sharing common objectives with others like Atomic (AMOS), MacSync, and Phexia.
Initial infection vectors involve a signed DMG file, often named "Werkbit Setup." This disk image contains an application bundle that is not only signed with a legitimate Developer ID but also includes a stapled notarization ticket. This dual signing process allows the payload to bypass macOS's Gatekeeper security feature upon its first launch, a common tactic for ensuring execution.
Once the user opens the DMG, a dropper silently retrieves an obfuscated shell script from GitHub-hosted infrastructure. This script then decodes multiple layers of Base64-encoded commands to download the main payload. The malware cleverly disguises itself as 'CrashReporter.app,' complete with Apple's official bundle identifier (com.apple.crashreporter) and an identical icon, further aiding its deception.
Upon execution, CrashStealer performs several reconnaissance steps. It locally validates the victim's login password using the dscl utility, unlocks the user's keychain, and profiles any installed security tools. This information likely helps it tailor its data collection and evade detection. The malware's scope of data theft is extensive, targeting credential stores from Chromium-based browsers (Chrome, Brave, Edge, Opera, Vivaldi) and Firefox, as well as numerous cryptocurrency wallet extensions across various blockchains like Ethereum and Solana.
Beyond browser and crypto wallet data, CrashStealer also targets 14 different password managers, including popular options like 1Password, Bitwarden, and LastPass. It also accesses the user's primary login keychain and conducts broader file-system reconnaissance within the Documents and Downloads folders. This comprehensive data collection mirrors the evolving landscape of macOS malware, where credential and financial asset theft are increasingly dominant objectives.
Technically, CrashStealer employs client-side AES-256-GCM encryption using Apple's CommonCrypto framework to secure staged data before packaging it into ZIP archives. Exfiltration is handled via libcurl, demonstrating a higher level of operational security than typically seen in less sophisticated macOS stealers. This encryption-first approach, combined with anti-analysis techniques such as control-flow flattening and anti-debugging checks, signifies a trend of professionalization in macOS malware, moving towards more structured and business-like operations.
For persistence, CrashStealer copies and re-signs itself dynamically and installs a LaunchAgent labeled 'com.apple.crashreporter.helper.' This ensures the malware can survive system reboots, continuing its impersonation of a legitimate system process. Jamf's analysis also linked the campaign to a live operator panel and additional infrastructure domains, suggesting CrashStealer is part of a larger, potentially multi-platform operation, highlighting the growing sophistication and organized nature of macOS threats.
This new report highlights that CrashStealer is written in native C++, distinguishing it from other macOS information stealers. Furthermore, it utilizes a notarized dropper to bypass Apple's Gatekeeper security checks, a crucial detail not previously emphasized. The malware also performs local validation of victim passwords before exfiltrating them, adding another layer to its stealth and data harvesting capabilities.
This new report details the technical delivery mechanism of CrashStealer, noting it is distributed via a signed and Apple-notarized installer named 'Werkbit Setup' which bypasses Gatekeeper. The malware also employs a technique of re-signing itself to alter its file hash for persistence, and encrypts exfiltrated data using AES-256-GCM before uploading it to its command-and-control server.