CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks
CrashStealer is a newly identified macOS information stealer built in native C++ that uses a signed and notarized dropper to bypass Gatekeeper, then harvests browser credentials, crypto wallets, password managers, and keychain data. It validates the victim’s password locally, encrypts stolen data with AES-GCM, and exfiltrates it to an attacker-controlled server as part of a broader multi-platform campaign. #CrashStealer #JamfThreatLabs #Werkbit #EmilGrigorov

Keypoints

  • CrashStealer is a new macOS information stealer written in native C++.
  • It is delivered through a signed and Apple-notarized disk image named Werkbit.app.
  • The malware validates the victim’s password locally before stealing data.
  • It targets browser credentials, crypto wallets, password managers, and keychain data.
  • Stolen files are encrypted with AES-GCM and sent to an attacker-controlled server.

Read More: https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html