CrashStealer is a macOS information-stealing malware family written in native C++ that masquerades as Apple’s crash-reporting utility in order to harvest sensitive data from compromised systems. It has been observed using a signed and Apple-notarized first-stage installer that can pass Gatekeeper checks, after which the payload is staged and launched as a fake crash reporter application. The malware uses Apple-like branding, metadata, and naming conventions to blend in with legitimate system components.
Once executed, CrashStealer presents a convincing macOS password prompt to capture the user’s login credentials, validates the supplied password locally, and uses it to unlock the victim’s login keychain. It then steals browser credentials and cookies from Chromium-based browsers and Firefox, collects keychain contents, targets numerous cryptocurrency wallet extensions, and extracts data from multiple password managers. It also gathers selected files from user directories such as Documents and Downloads while avoiding some large or less useful file types.
CrashStealer performs reconnaissance on installed security and analysis tools and incorporates anti-analysis measures including anti-debugging and obfuscation techniques. For persistence, it copies itself into a user-accessible location, re-signs the copied payload ad hoc, and installs a LaunchAgent configured to run at login. A notable characteristic is its client-side handling of stolen data: collected items are encrypted with AES-256-GCM, staged locally, packaged into hidden ZIP archives, and then exfiltrated to attacker-controlled infrastructure using libcurl.
The malware has been associated with a tightly controlled campaign using gated delivery infrastructure and fake software-themed lures. Researchers have assessed it as a distinct macOS stealer family rather than a variant of Atomic, MacSync, or Phexia, and linked the operation to broader multi-platform infrastructure.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
27 distinct techniques documented for this family, organized by ATT&CK tactic.
When launched, the malware displays a fake macOS password prompt to convince users that they are authorizing a legitimate system operation that requires administrator privileges.
On mount, the disk image presents a polished 'installer' window branded as Werkbit Setup that walks the victim through opening the bundle, instructing them to right-click the app and choose Open... the instruction functions mainly as social engineering to get the victim to run it.
Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’
Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’
Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’
The script is not stored on disk in readable form; its operational strings arrive as a series of Base64 blobs that are decoded at runtime ... Encrypted strings. The sensitive strings, including the command-and-control URL, file-system paths, browser and wallet identifiers, and the software-reconnaissance target list, are stored as an encrypted blob in the __const section and decoded at runtime
The CrashStealer infostealer's binary impersonates Apple's system component by taking the name ‘CrashReporter.app,’ in an attempt to evade users’ scrutiny and potentially security tools. Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’ and uses the legitimate tool’s icon and metadata to resemble the legitimate tool as much as possible.
When launched, the malware displays a fake macOS password prompt to convince users that they are authorizing a legitimate system operation that requires administrator privileges.
CrashStealer is said to be distributed by means of a signed and Apple-notarized dropper that's distributed as a disk image file named "Werkbit.app." Because both the disk image and binary are notarized and carry a valid developer ID ("Emil Grigorov (WWB7JA7AQV)"), it passes Gatekeeper checks.
This encryption-first approach, paired with anti-analysis measures like control-flow flattening and layered anti-debugging checks
The malware, upon execution, establishes persistence as a LaunchAgent, resists analysis... lists installed security and analysis tooling
It mounts the image ... copies the first .app bundle it finds into a hidden directory at /tmp/.CrashReporter ... In-the-wild detections revealed that the bundle executed from a hidden directory under /private/tmp ... The harvested data is written into hidden per-run directories beneath the staging root
It clears extended attributes on the staged bundle with xattr -cr ... Immediately after launch, the binary shells out to clear the extended attributes on its own path ... xattr -cr strips all extended attributes in a single sweep, so both the com.apple.quarantine flag and the com.apple.lastuseddate#PS timestamp come off at once.
CrashStealer also targets the following data: Browser credentials and cookies from Chromium-based browsers and Firefox
This password can unlock the user’s Keychain, which contains locally stored secrets and acts as macOS’s encrypted password vault, typically containing Safari logins, Wi-Fi passwords, application passwords, private cryptographic keys, certificates, and tokens.
For browser data, the stealer targets Chromium-family browsers ... and produces artifacts named after Firefox's logins.json credential store
It presents a password prompt and validates the entered credential locally ... As many macOS stealers do, it validates the entered credential locally by invoking dscl ... with the -authonly option before proceeding ... The validated password is written to a local cache file
Reconnaissance of security tooling ... For each application in a target list it issues a paired set of commands, first reading the application's version, then measuring its on-disk size ... The skew toward analysis, endpoint security and EDR tooling suggests the routine is aimed at least in part at profiling the defensive environment.
The user’s login keychain and broader file-system reconnaissance of Documents and Downloads
This encryption-first approach, paired with anti-analysis measures like control-flow flattening and layered anti-debugging checks
Before exfiltrating the stolen data, CrashStealer encrypts it using the AES-256-GCM algorithm, an unusually strong method for this type of operation, packages it into hidden ZIP archives, and uploads the compressed data to the command-and-control (C2) server using libcurl.
Before exfiltrating the stolen data, CrashStealer encrypts it using the AES-256-GCM algorithm, an unusually strong method for this type of operation, packages it into hidden ZIP archives, and uploads the compressed data to the command-and-control (C2) server using libcurl.
37 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A macOS information stealer written in native C++ that validates the victim's login password locally, unlocks the login keychain, harvests data from browsers, cryptocurrency wallets, password managers, and user files, encrypts stolen data with AES-GCM, exfiltrates it via libcurl, and persists by copying and re-signing itself as a LaunchAgent.
A native C++ macOS infostealer that impersonates Apple CrashReporter, steals browser credentials, cryptocurrency wallet data, password manager data, and keychain contents, encrypts the collected data with AES-256-GCM, packages it into ZIP archives, exfiltrates it via libcurl, and persists through a LaunchAgent.
A native C++ macOS infostealer that impersonates Apple's CrashReporter component, validates the victim's password locally, unlocks and copies the login keychain, steals browser credentials, wallet and password-manager data, encrypts stolen data with AES-256-GCM, exfiltrates it to C2, and persists via an ad-hoc re-signed copy plus a LaunchAgent.
A macOS infostealer that impersonates Apple's CrashReporter, uses a signed and notarized installer to bypass Gatekeeper, prompts users for their password to unlock Keychain data, steals browser credentials/cookies, cryptocurrency wallet extensions, password manager data, and selected user files, then encrypts the stolen data with AES-256-GCM and exfiltrates it to a C2 server.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.