- Researchers at Jamf Threat Labs have discovered a new macOS information stealer called CrashStealer that harvests sensitive data from compromised systems.
- Unlike typical AppleScript-based malware, CrashStealer is built in native C++ and uses AES-GCM encryption to protect stolen data before exfiltration.
- The malware targets roughly 80 cryptocurrency wallet extensions, including MetaMask, Phantom, and Coinbase, along with 14 password managers and browser credentials.
- CrashStealer is distributed through a signed and Apple-notarized dropper that bypasses Gatekeeper security checks before deploying the final payload.
Cybersecurity researchers at Jamf Threat Labs have flagged a new macOS information stealer called CrashStealer that harvests passwords, cryptocurrency wallets, and keychain data from infected devices. Unlike other stealthier tools built on AppleScript droppers, CrashStealer is implemented in native C++ and encrypts collected data before exfiltration, according to a report.
The malware is distributed through a signed and Apple-notarized dropper that appears as a disk image named “Werkbit.app,” which passes Gatekeeper checks because it carries a valid developer ID. The disk image originates from the domain “werkbit[.]io,” registered in June 2026, and the installer is gated behind a meeting PIN to limit distribution.
Once launched, the malware contacts a GitHub repository to retrieve a shell script that downloads the final payload from the “/tmp” directory. CrashStealer then establishes persistence as a LaunchAgent and presents a password prompt to validate the user’s credential locally before harvesting data.
The malware collects credentials from Chromium-family browsers, along with data from roughly 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase, and Trust Wallet. It also extracts information from 14 password managers such as 1Password, Bitwarden, and LastPass, and grabs files from ~/Documents and ~/Downloads directories.
All harvested data is packaged into a ZIP archive and exfiltrated to an attacker-controlled server. Jamf noted that CrashStealer’s delivery chain shows real care, with client-side AES-GCM encryption and an emphasis on analysis resistance through control-flow flattening and encrypted strings.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
