Key Takeaways

- CrashStealer is a new macOS infostealer that mimics Apple's legitimate crash reporting tool to harvest credentials and cryptocurrency wallets
- The malware uses an Apple-notarized dropper that bypasses Gatekeeper, making initial detection difficult
- Three defensive habits can block most infostealers: verify .dmg sources, scrutinize password prompts, and avoid pirated software
Security researchers at Jamf have discovered a new macOS infostealer called CrashStealer that disguises itself as Apple's crash reporting tool. The malware targets passwords, keychain entries, and cryptocurrency wallets by displaying fake authorization prompts that mimic genuine macOS system requests.
According to Jamf's July 13 research advisory, CrashStealer is a C++ infostealer that first surfaced through a suspicious VirusTotal upload. The malware appears to have been in development since May but has now been released into active circulation.

How CrashStealer tricks Mac users
Apple's legitimate crash reporter is familiar to anyone who's had software quit unexpectedly. A pop-up window appears asking whether you want to report the error. CrashStealer exploits this familiarity.
When the malware lands on a Mac, it uses convincing aliases: CrashReporter.dmg for installation, CrashReporter.app for the application bundle, and a legitimate-looking icon. The impersonation goes deep enough to fool most users who encounter it.
The malware's most interesting trick is its keychain unlock attempt. CrashReporter displays a fake password prompt that closely mimics a genuine macOS authorization request. Once users enter their credentials, the malware validates them locally before targeting installed password managers, browsers, and cryptocurrency wallets. Everything gets packaged into an encrypted payload and sent to an attacker-controlled server.
Why Gatekeeper didn't stop it
Here's the concerning part. CrashStealer's main .dmg file, distributed as "Werkbit Setup," is a signed and Apple-notarized dropper. This means it carries a valid Developer ID and a stapled notarization ticket.
"Because the dropper carries a valid Developer ID and a stapled notarization ticket, it clears Gatekeeper on first launch, in contrast to the ad-hoc-signed payload it installs," the Jamf researchers note. In plain terms: the .dmg file appears to be a legitimate, trustworthy utility with no immediate red flags. Apple's own security mechanisms let it through.
This isn't the only attack vector Mac users face. ClickFix relies on social engineering to get users to enter and execute command prompts themselves, often through copy-and-paste instructions claiming to "fix" an issue. Huntress researchers have documented Atomic MacOS Stealer being distributed through poisoned AI chatbot conversations that direct victims to malicious websites.
Three habits that block most Mac infostealers
The old belief that Macs are immune to malware is now dangerously outdated. Apple even used this as a marketing point years ago. Times have changed. Mac malware has grown roughly 300% since 2020, according to Malwarebytes data, as the platform's market share makes it an increasingly attractive target.
- Always check a .dmg source. You can't see what's inside a disk image from the surface. Downloading cracked or pirated software puts you at high risk of running malware on your own machine. Stick to the Mac App Store or verified developer websites.
- Verify password requests. Gatekeeper prompts exist for a reason. If you encounter a password request that seems unusual or unexpected, stop and think. Legitimate system processes rarely ask for your password outside of specific contexts like system updates or app installations you initiated.
- Question unexpected prompts. If a crash reporter appears when nothing crashed, or if any system dialog feels off, don't interact with it. Check Activity Monitor for suspicious processes instead.
The AI angle makes this worse
Researchers are seeing AI being abused to write malicious code, improve phishing campaigns, and even orchestrate fully agentic ransomware attack chains. It may be only months or a few years before traditional macOS attack vectors get replaced by AI-driven threats that adapt in real time.
For enterprise security teams, this means endpoint protection needs to go beyond signature-based detection. Behavioral analysis tools that flag unusual keychain access patterns or unexpected network connections to unknown servers become critical.
Logicity's Take
CrashStealer's use of legitimate Apple notarization is the real story here. It exposes a weakness in Apple's trust model: malicious payloads can piggyback on legitimately signed droppers. For organizations running Mac fleets, this means traditional allow-listing based on code signatures isn't enough. Consider endpoint detection tools like CrowdStrike Falcon (enterprise tier, per-endpoint pricing) or Jamf Protect (bundled with Jamf Pro, roughly $4-8 per device monthly) that monitor behavioral anomalies rather than just signatures. The $6.9 billion stolen via malware-enabled cryptocurrency theft globally in recent years suggests the ROI for attackers is substantial, and they'll keep investing in sophisticated delivery mechanisms.
Frequently Asked Questions
How do I know if CrashStealer is on my Mac?
Check Activity Monitor for processes named CrashReporter running when no application has crashed. Look in your Applications folder for unfamiliar apps. If you recently installed something called "Werkbit Setup," investigate immediately and consider using malware removal tools.
Can Apple's Gatekeeper protect me from CrashStealer?
Not entirely. CrashStealer uses a legitimately signed and notarized dropper, which Gatekeeper allows through. The malware payload installed afterward is ad-hoc signed, but by then it's already on your system.
Does CrashStealer target specific cryptocurrency wallets?
The Jamf research indicates CrashStealer targets cryptocurrency wallets broadly, along with password managers and browsers. Specific wallet targets weren't enumerated in the advisory.
Should I disable Apple's crash reporter to stay safe?
No. The legitimate crash reporter is a built-in macOS service that helps Apple improve software stability. Disabling it won't protect you from CrashStealer, which operates as a separate malicious application.
What should I do if I entered my password in a suspicious prompt?
Change your Mac login password immediately. Check your keychain for unauthorized access, reset passwords for any stored accounts, and move cryptocurrency to new wallets with fresh credentials. Run a full malware scan.
Need Help Implementing This?
If you're managing a Mac fleet and want to evaluate endpoint detection tools or review your security posture against infostealers like CrashStealer, reach out to our team at Logicity. We can connect you with vetted security consultants who specialize in enterprise macOS environments.
Source: Latest news
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
More in Trending Tech
AI Revolution: How Tech is Transforming the World, One Industry at a Time
From desalination plants in Iran to AI-powered manufacturing, the tech world is abuzz with innovation. Discover how AI is changing the game for small entrepreneurs and what it means for the future of industry. Explore the latest developments in cybersecurity, robotics, and more.

Revolutionizing AI: The Game-Changing Tech That's Making Agents Smarter
A new technology is set to revolutionize the way AI agents learn and adapt, enabling them to accumulate wisdom and apply it to new situations. This innovation has the potential to significantly boost the reliability of AI agents, especially in complex tasks. By converting raw agent trajectories into reusable guidelines, this tech is poised to transform the AI landscape.

The Dark Side of AI: How Bots Are Fueling a Monetized Abuse Ecosystem
A recent analysis of 2.8 million Telegram messages reveals a shocking truth: AI-powered bots are being used to create and sell non-consensual intimate images. These bots can turn ordinary photos into synthetic nude images, and the abuse is being monetized through affiliate programs and subscription-based archives. The researchers behind the study are calling for stricter regulations to combat this growing problem.

AI's Secret Sauce: How Journalism Became the Unlikely Ingredient
A recent study reveals that AI chatbots rely heavily on journalistic sources for their quotes, with one in four coming from news outlets. This shocking discovery has significant implications for the media industry and our understanding of AI's information gathering processes. As AI technology continues to evolve, it's essential to consider the role of journalism in shaping its responses.


