News

CrashStealer: New macOS Malware Targets Sensitive Data with Sophisticated Techniques

A newly discovered macOS malware, CrashStealer, steals sensitive data, bypasses Gatekeeper, and uses advanced encryption techniques.

CrashStealer is a sophisticated macOS malware that targets browsers, cryptocurrency wallets, and password managers. It evades detection and exfiltrates data securely, highlighting a growing threat to macOS security.

CrashStealer: A New macOS Malware Steals Sensitive Data

Cybersecurity researchers have identified a new macOS information stealer called CrashStealer, which is designed to harvest sensitive data from compromised systems. Unlike traditional macOS malware, CrashStealer is implemented in native C++, making it more robust and harder to detect, according to Jamf Threat Labs.

How CrashStealer Works

CrashStealer is distributed through a signed and Apple-notarized dropper disguised as a disk image file named "Werkbit.app." The file carries a valid developer ID, allowing it to bypass macOS Gatekeeper checks. The disk image originates from the domain "werkbit[.]io," registered in June 2026, and is gated behind a meeting PIN, limiting access to specific users.

Once installed, the malware executes a series of steps to steal data:

  • It validates the victim's login password locally.
  • It collects data from browsers, cryptocurrency wallets, password managers, and the keychain.
  • It encrypts the harvested data using AES-GCM encryption before exfiltrating it via libcurl.
  • It persists on the system by copying and re-signing itself.

Data Targeted by CrashStealer

The malware targets a wide range of sensitive information, including:

  • Credentials from Chromium-based browsers (e.g., Google Chrome, Brave, Microsoft Edge).
  • Data from approximately 80 cryptocurrency wallet extensions, including MetaMask, Phantom, and Trust Wallet.
  • Information from 14 popular password managers, such as 1Password, Bitwarden, and LastPass.
  • Files from the ~/Documents and ~/Downloads directories.

The stolen data is packaged into a ZIP archive and sent to an attacker-controlled server.

Sophisticated Delivery and Evasion Techniques

CrashStealer's delivery mechanism is notably sophisticated. It uses a signed and notarized dropper to bypass Gatekeeper, making it harder for users to detect the threat. Additionally, the malware employs several techniques to resist analysis, including:

  • Control-flow flattening to obfuscate its behavior.
  • Encrypted strings to hide its operations.
  • Layered anti-debugging measures to evade detection.

Part of a Larger Campaign

Researchers have linked CrashStealer to a broader, multi-platform campaign due to the discovery of additional domains and shared backend infrastructure. This suggests that the malware is part of a coordinated effort to target users across different operating systems.

Conclusion

CrashStealer represents a significant threat to macOS security, combining advanced encryption, evasion techniques, and a broad data-harvesting scope. Users are advised to remain vigilant and ensure their systems are protected against such sophisticated threats.