All posts

CrashStealer malware impersonates Apple's crash reporter

Manaal KhanJuly 16, 2026 at 4:02 AM5 min read
CrashStealer malware impersonates Apple's crash reporter

Key Takeaways

CrashStealer malware impersonates Apple's crash reporter
Source: Latest news
  • CrashStealer is a new macOS infostealer that mimics Apple's legitimate crash reporting tool to harvest credentials and cryptocurrency wallets
  • The malware uses an Apple-notarized dropper that bypasses Gatekeeper, making initial detection difficult
  • Three defensive habits can block most infostealers: verify .dmg sources, scrutinize password prompts, and avoid pirated software

Security researchers at Jamf have discovered a new macOS infostealer called CrashStealer that disguises itself as Apple's crash reporting tool. The malware targets passwords, keychain entries, and cryptocurrency wallets by displaying fake authorization prompts that mimic genuine macOS system requests.

According to Jamf's July 13 research advisory, CrashStealer is a C++ infostealer that first surfaced through a suspicious VirusTotal upload. The malware appears to have been in development since May but has now been released into active circulation.

Image (Source: Latest news)
Image (Source: Latest news)
Advertisement

How CrashStealer tricks Mac users

Apple's legitimate crash reporter is familiar to anyone who's had software quit unexpectedly. A pop-up window appears asking whether you want to report the error. CrashStealer exploits this familiarity.

When the malware lands on a Mac, it uses convincing aliases: CrashReporter.dmg for installation, CrashReporter.app for the application bundle, and a legitimate-looking icon. The impersonation goes deep enough to fool most users who encounter it.

The malware's most interesting trick is its keychain unlock attempt. CrashReporter displays a fake password prompt that closely mimics a genuine macOS authorization request. Once users enter their credentials, the malware validates them locally before targeting installed password managers, browsers, and cryptocurrency wallets. Everything gets packaged into an encrypted payload and sent to an attacker-controlled server.

Why Gatekeeper didn't stop it

Here's the concerning part. CrashStealer's main .dmg file, distributed as "Werkbit Setup," is a signed and Apple-notarized dropper. This means it carries a valid Developer ID and a stapled notarization ticket.

"Because the dropper carries a valid Developer ID and a stapled notarization ticket, it clears Gatekeeper on first launch, in contrast to the ad-hoc-signed payload it installs," the Jamf researchers note. In plain terms: the .dmg file appears to be a legitimate, trustworthy utility with no immediate red flags. Apple's own security mechanisms let it through.

This isn't the only attack vector Mac users face. ClickFix relies on social engineering to get users to enter and execute command prompts themselves, often through copy-and-paste instructions claiming to "fix" an issue. Huntress researchers have documented Atomic MacOS Stealer being distributed through poisoned AI chatbot conversations that direct victims to malicious websites.

Advertisement

Three habits that block most Mac infostealers

The old belief that Macs are immune to malware is now dangerously outdated. Apple even used this as a marketing point years ago. Times have changed. Mac malware has grown roughly 300% since 2020, according to Malwarebytes data, as the platform's market share makes it an increasingly attractive target.

  1. Always check a .dmg source. You can't see what's inside a disk image from the surface. Downloading cracked or pirated software puts you at high risk of running malware on your own machine. Stick to the Mac App Store or verified developer websites.
  2. Verify password requests. Gatekeeper prompts exist for a reason. If you encounter a password request that seems unusual or unexpected, stop and think. Legitimate system processes rarely ask for your password outside of specific contexts like system updates or app installations you initiated.
  3. Question unexpected prompts. If a crash reporter appears when nothing crashed, or if any system dialog feels off, don't interact with it. Check Activity Monitor for suspicious processes instead.

The AI angle makes this worse

Researchers are seeing AI being abused to write malicious code, improve phishing campaigns, and even orchestrate fully agentic ransomware attack chains. It may be only months or a few years before traditional macOS attack vectors get replaced by AI-driven threats that adapt in real time.

For enterprise security teams, this means endpoint protection needs to go beyond signature-based detection. Behavioral analysis tools that flag unusual keychain access patterns or unexpected network connections to unknown servers become critical.

ℹ️

Logicity's Take

CrashStealer's use of legitimate Apple notarization is the real story here. It exposes a weakness in Apple's trust model: malicious payloads can piggyback on legitimately signed droppers. For organizations running Mac fleets, this means traditional allow-listing based on code signatures isn't enough. Consider endpoint detection tools like CrowdStrike Falcon (enterprise tier, per-endpoint pricing) or Jamf Protect (bundled with Jamf Pro, roughly $4-8 per device monthly) that monitor behavioral anomalies rather than just signatures. The $6.9 billion stolen via malware-enabled cryptocurrency theft globally in recent years suggests the ROI for attackers is substantial, and they'll keep investing in sophisticated delivery mechanisms.

Frequently Asked Questions

How do I know if CrashStealer is on my Mac?

Check Activity Monitor for processes named CrashReporter running when no application has crashed. Look in your Applications folder for unfamiliar apps. If you recently installed something called "Werkbit Setup," investigate immediately and consider using malware removal tools.

Can Apple's Gatekeeper protect me from CrashStealer?

Not entirely. CrashStealer uses a legitimately signed and notarized dropper, which Gatekeeper allows through. The malware payload installed afterward is ad-hoc signed, but by then it's already on your system.

Does CrashStealer target specific cryptocurrency wallets?

The Jamf research indicates CrashStealer targets cryptocurrency wallets broadly, along with password managers and browsers. Specific wallet targets weren't enumerated in the advisory.

Should I disable Apple's crash reporter to stay safe?

No. The legitimate crash reporter is a built-in macOS service that helps Apple improve software stability. Disabling it won't protect you from CrashStealer, which operates as a separate malicious application.

What should I do if I entered my password in a suspicious prompt?

Change your Mac login password immediately. Check your keychain for unauthorized access, reset passwords for any stored accounts, and move cryptocurrency to new wallets with fresh credentials. Run a full malware scan.

ℹ️

Need Help Implementing This?

If you're managing a Mac fleet and want to evaluate endpoint detection tools or review your security posture against infostealers like CrashStealer, reach out to our team at Logicity. We can connect you with vetted security consultants who specialize in enterprise macOS environments.

Source: Latest news

Advertisement
M

Manaal Khan

Tech & Innovation Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.

Related Articles