A new macOS information stealer named CrashStealer has been discovered using an Apple-notarized dropper to slip past Gatekeeper protections, according to researchers at Jamf Threat Labs. The malware, written in native C++, collects browser credentials, cryptocurrency wallet data, password manager contents, and keychain material, encrypting the loot with AES-GCM before exfiltration.
Notarized Dropper Evades Apple's Defenses
CrashStealer is distributed as a signed and notarized disk image called "Werkbit.app," which carries a valid Developer ID from "Emil Grigorov (WWB7JA7AQV)." Because Apple's notarization process has approved both the disk image and the binary, the malware passes Gatekeeper checks without triggering warnings. The disk image is hosted on the domain "werkbit[.]io," registered in June 2026, and access is gated behind a meeting PIN — only visitors with the correct code receive the installer.
Once mounted, the disk image prompts the user to right-click and open the app. The initial executable, "veltod," contacts a GitHub repository ("github.com/mgothiclove") to retrieve a file named "sys.cache." That file contains a curl command that downloads a shell script, which in turn fetches the main payload — "CrashReporter.dmg" — and saves it to /tmp.
Sophisticated Data Harvesting and Persistence
After execution, CrashStealer establishes persistence as a LaunchAgent and presents a fake password prompt. It validates the entered credential locally, then uses it to unlock the login keychain. The malware also lists installed security and analysis tools to evade detection. It then proceeds to harvest data from a wide range of sources:
- Credentials from Chromium-based browsers including Google Chrome, Brave, Microsoft Edge, Opera, Opera GX, Vivaldi, Chromium, and Naver Whale.
- Roughly 80 cryptocurrency wallet extensions such as MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack.
- Fourteen password managers including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm.
- Files from the ~/Documents and ~/Downloads directories.
All collected data is zipped into an archive and exfiltrated to an attacker-controlled server at IP 179.43.166[.]242 using libcurl.
Part of a Broader Multi-Platform Campaign
Jamf researchers noted that the discovery of additional domains and shared backend infrastructure suggests CrashStealer is part of a larger, multi-platform operation. The malware stands out from typical stealers not just for its notarized delivery chain but also for its technical sophistication — including client-side AES-GCM encryption of stolen files, control-flow flattening, encrypted strings, and layered anti-debugging techniques. "CrashStealer's delivery chain shows real care," said Jamf researcher Thijs Xhaflaire. "Rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload."