CrashStealer is a newly identified macOS information stealer built in native C++ that uses a signed and notarized dropper to bypass Gatekeeper, then harvests browser credentials, crypto wallets, password managers, and keychain data. It validates the victim’s password locally, encrypts stolen data with AES-GCM, and exfiltrates it to an attacker-controlled server as part of a broader multi-platform campaign. #CrashStealer #JamfThreatLabs #Werkbit #EmilGrigorov
Keypoints
- CrashStealer is a new macOS information stealer written in native C++.
- It is delivered through a signed and Apple-notarized disk image named Werkbit.app.
- The malware validates the victim’s password locally before stealing data.
- It targets browser credentials, crypto wallets, password managers, and keychain data.
- Stolen files are encrypted with AES-GCM and sent to an attacker-controlled server.
Read More: https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html