Japan’s largest taxi operator shuts systems after cyberattack

A new macOS information-stealing malware called CrashStealer pretends to be Apple’s crash-reporting tool to steal credentials, keychain data, and crypto wallets.

Malware researchers started tracking the malware in May, when it appeared to still be in development, but observed it being used in attacks in early July.

CrashStealer has a typical infostealer capability set that seems to focus on password managers and more than 80 crypto wallet extensions.

The CrashStealer infostealer’s binary impersonates Apple’s system component by taking the name ‘CrashReporter.app,’ in an attempt to evade users’ scrutiny and potentially security tools.

Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’ and uses the legitimate tool’s icon and metadata to resemble the legitimate tool as much as possible.

According to researchers at Jamf, a company that offers management and security solutions for Apple devices, the payload is delivered via a signed and Apple-notarized installer (“Werkbit Setup”).

This allows it to bypass Gatekeeper, the built-in anti-malware on macOS, without any warnings.

When launched, the malware displays a fake macOS password prompt to convince users that they are authorizing a legitimate system operation that requires administrator privileges.

This password can unlock the user’s Keychain, which contains locally stored secrets and acts as macOS’s encrypted password vault, typically containing Safari logins, Wi-Fi passwords, application passwords, private cryptographic keys, certificates, and tokens.

When the password is provided, the malware validates it locally using ‘dscl’ (Directory Service command-line). If it’s incorrect, CrashStealer returns an authentication error, prompting the user to type it again.

Apart from keychain data, Jamf’s analysis indicates that CrashStealer also targets the following data:

Before exfiltrating the stolen data, CrashStealer encrypts it using the AES-256-GCM algorithm, an unusually strong method for this type of operation, packages it into hidden ZIP archives, and uploads the compressed data to the command-and-control (C2) server using libcurl.

Jamf researchers say that despite the overlap in objective with other infostealer families (e.g., Atomic, MacSync and Phexia), CrashStealer is distinct due to its client-side encryption mechanism and its native C++ implementation.

Jamf did not share details about CrashStealer’s exact initial distribution method, but note that the first-stage payload (Werkbit Setup) is hosted on a fake software site registered in late June.

Downloading the payload is gated behind a meeting PIN, which indicates a campaign limited to visitors who provide the right code.

Jamf researchers say that the CrashStealer campaign is a careful operation focused on stealth by using a signed and notarized malware dropper and a payload that re-signs itself for persistence.

The purpose of the re-signing process is to rewrite the code-signature data in the binary, which causes the file to have a different hash despite the code remaining untouched.

Jamf’s report on CrashStealer shares an extensive set of indicators of compromise that includes the names and hashes for the malicious tools along with details about the delivery infrastructure and filesystem artifacts.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

SHub macOS infostealer variant spoofs Apple security updates

Critical SimpleHelp flaw exploited to deploy new stealer malware

Steam Workshop abused to spread malware via Wallpaper Engine app

New Shai-Hulud malware wave compromises 600 npm packages

Popular node-ipc npm package compromised to steal credentials

Claude Fable 5 stays free for paid users until July 19 as Anthropic buys more time

Australia warns of global campaign targeting vulnerable CMS platforms

‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets

How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.

Your Scanners Are Green. Your Pipeline Might Not Be. Here’s How to Close the Gap.

Overdue a password health-check? Audit your Active Directory for free

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

AI is a data-breach time bomb: Read the new report?utm_source=bleepingcomputer&utm_medium=referral&utm_campaign=bleepingcomputer_referral&utm_content=article

Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure

Read our posting guidelinese to learn what content is prohibited.