Connect with us

NEWS

CrashStealer Malware Faked Apple’s Crash Reporter to Loot Mac Wallets

Jamf Threat Labs says CrashStealer malware used a notarized Apple developer ID to bypass Gatekeeper and steal Mac passwords and crypto wallets.

Published

on

CrashStealer malware disguised itself as Apple’s built-in crash-reporting tool and slipped past Gatekeeper using a real, notarized developer certificate.

Jamf Threat Labs, the research arm of the Apple device management company Jamf, spotted a suspicious sample in May 2026 and watched it mature into active attacks by early July. The malware was built to raid browser logins, password vaults and cryptocurrency wallets, encrypting everything it stole before sending it to a remote server.

Apple’s notarization checks exist to catch exactly this kind of software before it runs. The first-stage app here cleared that check anyway, using a developer account Jamf has not verified as a genuine identity. Researchers have since tied the operation to five lookalike domains and a Windows installer, evidence the campaign runs well beyond one fake Mac app.

A Fake Meeting App Delivers a Fake Crash Reporter

The infection starts with Werkbit, a supposed video-meeting app distributed from werkbit.io, a domain registered in late June 2026. Getting the installer requires a meeting PIN, so the disk image is served only to visitors who already have the code, not to search engines or casual browsers.

Once launched, Werkbit’s executable, named veltod, quietly contacts a GitHub repository to pull down hidden instructions. Those instructions point to an obfuscated script hosted on separate attacker infrastructure, which fetches, re-signs and launches the real payload. That payload calls itself CrashReporter.app and copies the icon, name and bundle identifier of Apple’s actual crash-reporting component.

Jamf found no zero-click stage in the samples it examined, according to its technical breakdown of the infection chain. A victim still has to download Werkbit, run it, and type a valid Mac password into a prompt before CrashStealer can reach anything valuable. That requirement limits the attack’s reach, though researchers say it does not make the malware harmless.

One Developer ID Beat Every Warning

Gatekeeper is supposed to stop unsigned or unvetted software from launching without a warning. Werkbit avoided that warning entirely because it carried a valid Apple Developer ID, listed under the name Emil Grigorov, with the team identifier WWB7JA7AQV, and a stapled notarization ticket.

Thijs Xhaflaire, a senior threat and detections researcher at Jamf Threat Labs, described the approach in the company’s July 13 report.

CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload.

Jamf reported the Developer Team ID to Apple after confirming it had been used to distribute the malicious dropper. Apple revoked the signing credentials tied to the account, closing off that specific path. Researchers warn that whoever is behind similar campaigns can simply register a new account and start over.

The Target List Spans Eighty Wallets and Fourteen Vaults

Once a victim enters a password, CrashStealer checks it locally with Apple’s own dscl command and asks again if it is wrong. A correct entry unlocks the Mac’s login keychain, and the malware copies login.keychain-db into a hidden folder along with the confirmed password itself.

The collection does not stop at the keychain. CrashStealer’s target list, built during Jamf’s dynamic analysis, reaches into browsers, password managers and crypto wallet extensions across the whole machine.

Data Category Named Examples From Jamf’s Analysis Scope
Password managers 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, RoboForm 14 applications
Cryptocurrency wallet extensions MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, Exodus, Keplr, Solflare, Backpack More than 80 extensions, including wallets built for Solana, Cosmos, TON, Sui, Aptos and NEO
Browsers Chrome, Brave, Edge, Firefox, Opera, Vivaldi, Opera GX, NAVER Whale Cookies, saved logins, profiles and extension data
Local files Documents and Downloads folders Skips large media, installers and system directories

Everything CrashStealer collects gets encrypted item by item with AES-256-GCM through Apple’s own CommonCrypto framework before it ever touches disk in the clear, Jamf found. The key is derived through repeated hashing rather than stored outright, then the finished archive is packaged into a hidden ZIP file and sent to the attacker’s server over libcurl.

Why Does the Installer Need a Meeting PIN?

The Werkbit installer sits behind a meeting PIN because whoever runs CrashStealer appears to be choosing targets rather than casting a wide net. Jamf found the download served only to visitors who already had the code, which keeps the malware away from casual browsers, search engines and automated security scanners that might flag it early.

The werkbit.io domain was registered in late June 2026, close to the build date Jamf found in the dropper itself. An early version of the malware reportedly could only be installed with a special PIN, a detail that points toward attacks aimed at specific people or organizations instead of mass distribution.

Five Lookalike Domains Link Werkbit to a Bigger Campaign

Werkbit is not the only front door Jamf found. Researchers identified several lookalike meeting and collaboration domains, with names resembling Cohezo, Cordinex, Synerix, Collabox and Werknova, all tied to a shared backend.

A dark-themed operator login page labeled “Command Panel” turned up on the same attacker-controlled domain that hosts CrashStealer’s second-stage script, a panel independently spotted by the researcher group MalwareHunterTeam. Jamf also found a Windows installer connected to the same infrastructure, pointing to a cross-platform operation rather than a Mac-only scheme.

What we know:

  • Jamf spotted the first CrashStealer sample in May 2026 and confirmed active attacks by early July.
  • Apple revoked the Werkbit certificate after Jamf’s report, closing that specific delivery path.
  • The malware’s target list includes more than 80 crypto wallet extensions and 14 password managers.
  • Related infrastructure includes a Windows installer and at least five lookalike domain names.

What remains unconfirmed:

  • How the earliest victims actually received the Werkbit link or its meeting PIN.
  • The full functions of the attacker’s “Command Panel” login interface.
  • Whether anyone outside Jamf’s own customer base has been compromised, and how many.

Jamf says the shared backend behind these domains suggests one operator running several parallel lures rather than copycats borrowing a single idea.

Full Disk Access Requests Are the Giveaway

CrashStealer’s fake CrashReporter app asks for Full Disk Access under the guise of system administration, then shows a password prompt built to look identical to a genuine macOS authorization window. Apple’s real crash-reporting tools already ship with every Mac, so a separate download claiming to add that feature is worth stopping on alone.

  • Treat any newly downloaded app that asks for your Mac password before you’ve used a single real feature as suspicious.
  • Remember that Apple’s crash-reporting tool is already built into macOS, so a separate download offering it is a warning sign by itself.
  • Check System Settings, then Privacy & Security, then Full Disk Access, along with Login Items & Extensions, for anything unfamiliar.
  • Confirm meeting or collaboration invitations directly with the sender before opening an installer that requires a private PIN.

Piyush Sharma, chief executive of the security platform Tuskira, told Forbes that “CrashStealer shouldn’t be treated as just another Mac malware story.” His concern sits beyond the malware itself: once a Mac’s keychain and password manager are exposed, the harder question is which SaaS accounts, cloud roles and code repositories those same credentials could reach.

Jamf Threat Labs says it continues to monitor this activity and track related infrastructure and variants.

Frequently Asked Questions

What Is CrashStealer, Exactly?

CrashStealer is a macOS information-stealing program written in native C++ around an internal class its authors named MacOSData, according to Jamf. That is a departure from most commodity Mac stealers, which typically rely on AppleScript droppers or thin Objective-C wrappers, and it is one reason Jamf tracks CrashStealer as its own family rather than a variant of Atomic, MacSync or Phexia.

How Can I Tell if CrashStealer Infected My Mac?

Check for a LaunchAgent file at ~/Library/LaunchAgents/com.apple.crashreporter.helper.plist or a hidden copy of the app under ~/Library/Caches/com.apple.crashreporter/, both locations Jamf found the malware uses to survive a restart. CrashStealer also strips its own quarantine flag right after launch, so macOS won’t necessarily re-flag it later, which makes a manual check more reliable than waiting for a Gatekeeper warning.

Did Apple’s Notarization Process Fail?

Apple’s notarization checks submitted software for known malicious code at the moment it is signed, and Werkbit passed that check clean. The dropper then used its verified status to fetch an entirely different payload afterward, a step notarization was never built to catch in real time. Apple revoked the certificate as soon as Jamf reported it, which is the system responding correctly after the fact rather than catching the threat up front.

Does CrashStealer Target Windows Users Too?

Jamf found a Windows installer tied to the same backend infrastructure as Werkbit, alongside several lookalike meeting-app domains, which points to a broader cross-platform operation. The firm has not published a full technical breakdown of that Windows payload, so how closely it mirrors the Mac version’s data-theft targets is still unconfirmed.

What Should I Do if I Already Typed My Password into the Fake Prompt?

Disconnect the Mac from the internet right away, then change your passwords, starting with your Apple Account, email and any password manager, from a separate device you trust. Move cryptocurrency into a new wallet and reinstall macOS entirely, since deleting the original file is not enough. CrashStealer copies itself elsewhere and installs a LaunchAgent that survives a simple deletion.

Has Anyone Confirmed Financial Losses from CrashStealer?

Jamf’s report does not include a public victim count or a confirmed dollar figure lost to the campaign. The PIN-gated download and the malware’s targeted design suggest a small, deliberately chosen group of victims rather than a mass sweep, which is also why researchers believe this was likely aimed at specific individuals or organizations rather than broad distribution.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending