CrashStealer: A Sophisticated C++ macOS Info-Stealer Evades Gatekeeper
A new macOS information stealer, dubbed **CrashStealer**, has been identified by cybersecurity researchers. Unlike typical macOS malware, this sophisticated threat is implemented in native C++ and leverages Apple notarization to bypass **Gatekeeper** checks, posing a significant risk to IT security professionals and privacy-conscious users.
Cybersecurity researchers at **Jamf Threat Labs** have uncovered **CrashStealer**, a potent new macOS information stealer designed to harvest sensitive data from compromised systems.
What sets **CrashStealer** apart from other macOS info-stealers is its native C++ implementation, a departure from the more common AppleScript droppers or Objective-C-based wrappers.
Security researcher **Thijs Xhaflaire** highlighted the malware's advanced capabilities in a report: "It validates the victim's login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself."
### Distribution and Evasion Tactics
**CrashStealer** is distributed via a signed and Apple-notarized dropper, presented as a disk image file named "Werkbit.app." This notarization, coupled with a valid developer ID ("Emil Grigorov (WWB7JA7AQV)"), allows the malware to successfully bypass **Gatekeeper** checks, a critical security feature on macOS.
The disk image originates from the domain "werkbit[.]io," which was registered in June 2026. Intriguingly, access to the installer is gated behind a meeting PIN, suggesting a targeted distribution rather than a broad campaign. The discovery of additional domains and shared backend infrastructure indicates that **CrashStealer** may be part of a larger, multi-platform operation.
### Infection Chain and Persistence
Once mounted, the disk image presents a familiar installation setup, instructing users to right-click and choose "Open" to launch the application. This action executes the "veltod" executable, which then contacts a **GitHub** repository ("github.com/mgothiclove") to retrieve a file named "sys.cache."
This file is used to extract a curl command, which subsequently pulls a shell script. This script acts as a downloader, fetching and staging the next payload, "CrashReporter.dmg," in the "/tmp" directory.
Upon execution, the malware establishes persistence as a **LaunchAgent**. It employs analysis resistance techniques, presents a password prompt to validate credentials locally, and then unlocks the login keychain. Before data exfiltration, it enumerates installed security and analysis tools.
### Data Harvested by CrashStealer
**CrashStealer** is designed to broadly collect sensitive information, including:
* **Credentials from Chromium-family browsers**: This includes **Google Chrome**, **Brave**, **Microsoft Edge**, **Opera** and **Opera GX**, **Vivaldi**, **Chromium**, and **Naver Whale**.
* **Approximately 80 cryptocurrency wallet extensions**: Notable targets include **MetaMask**, **Phantom**, **Coinbase**, **Trust Wallet**, **Rabby**, **OKX Wallet**, **Exodus**, **Keplr**, **Solflare**, and **Backpack**.
* **14 password managers**: Such as **1Password**, **Bitwarden**, **LastPass**, **Dashlane**, **Keeper**, **KeePassXC**, **NordPass**, **Enpass**, and **RoboForm**.
* Files from the `~/Documents` and `~/Downloads` directories.
The collected data is then packaged into a ZIP archive and exfiltrated to an attacker-controlled server at "179.43.166[.]242."
### Advanced Features and Analysis Resistance
**Jamf** researchers emphasize the sophistication of **CrashStealer's** delivery and internal mechanisms. "**CrashStealer's** delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears **Gatekeeper** before quietly fetching, re-signing and launching the payload," the report states.
What truly distinguishes **CrashStealer** is its robust build quality, featuring client-side **AES-GCM** encryption of collected files and a strong emphasis on analysis resistance through control-flow flattening, encrypted strings, and layered anti-debugging techniques. This makes detection and analysis significantly more challenging for security professionals.