CrashStealer, a native C++ macOS infostealer that disguises itself as Apple’s built-in crash-reporting utility to harvest browser credentials, cryptocurrency wallets, password manager data, and keychain contents before encrypting and exfiltrating everything to a remote command-and-control server.
Jamf first spotted a suspicious sample on VirusTotal in early May 2026 that appeared to be an infostealer still under construction. By early July, in-the-wild detections confirmed the malware had matured into active deployment, prompting researchers to formally track it as CrashStealer.
Unlike commodity macOS stealers typically built on AppleScript droppers or thin Objective-C wrappers, CrashStealer is written entirely in native C++ around an internal class called MacOSData, setting it apart from families like Atomic (AMOS), MacSync, and Phexia despite overlapping objectives.
Initial access begins with a disk image named “Werkbit Setup,” containing an application bundle signed with a legitimate Developer ID and a stapled notarization ticket allowing it to clear Gatekeeper on first launch.
This is unusual: even the disk image container itself is signed, a rare touch in malicious DMG campaigns. Once opened, the dropper quietly retrieves an obfuscated shell script from GitHub-hosted infrastructure, decodes multiple layers of Base64-encoded commands, and downloads the actual payload disguised as “CrashReporter.app” complete with Apple’s bundle identifier com.apple.crashreporter and a matching icon.
Once running, CrashStealer validates the victim’s login password locally via dscl, unlocks the keychain, and profiles installed security tools before beginning collection. Its scope is extensive:
Chromium-family browsers (Chrome, Brave, Edge, Opera, Vivaldi) and Firefox credential stores
Roughly 80 cryptocurrency wallet extensions spanning Ethereum, Solana, Cosmos, TON, and other ecosystems
14 password managers including 1Password, Bitwarden, and LastPass
The user’s login keychain and broader file-system reconnaissance of Documents and Downloads
This breadth mirrors patterns seen across the modern macOS stealer landscape, where crypto-focused credential theft has become a dominant objective.
What distinguishes CrashStealer technically is its use of client-side AES-256-GCM encryption via Apple’s CommonCrypto framework to encrypt staged data before packaging it into ZIP archives and exfiltrating it over libcurl, a level of operational security not typically seen in commodity AppleScript-based stealers.
This encryption-first approach, paired with anti-analysis measures like control-flow flattening and layered anti-debugging checks, reflects a broader trend of macOS malware families professionalizing their tradecraft, a shift researchers across the industry have flagged as macOS threats evolve from opportunistic scripts into structured, business-like operations.
For persistence, CrashStealer copies and re-signs itself ad hoc, then installs a LaunchAgent labeled com.apple.crashreporter.helper to survive reboots, continuing the Apple-impersonation theme into its persistence layer.
Jamf also linked the campaign to a live operator panel and additional infrastructure domains, suggesting CrashStealer is part of a larger, multi-platform operation rather than an isolated tool.
This discovery adds to a growing body of research showing macOS infostealers rapidly closing the sophistication gap with their Windows counterparts, with detection volumes and technical complexity both climbing sharply through 2025 and into 2026.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post New macOS Stealer Mimics Apple’s Crash Report Framework to Steal Browser Credentials appeared first on Cyber Security News.



