BleepingComputer reported that a new macOS infostealer named CrashStealer impersonates Apple’s crash reporting tool.
Researchers began tracking the malware in May 2026 and observed it being used in attacks in early July 2026.
CrashStealer uses an application bundle named CrashReporter.app and creates a LaunchAgent named com.apple.crashreporter.helper to blend in with legitimate macOS components.
Jamf researchers said the payload is delivered through a signed and Apple-notarized installer named Werkbit Setup, allowing it to bypass Gatekeeper without warnings.
The malware displays a fake macOS password prompt and validates the submitted password locally using dscl.
CrashStealer targets Keychain data, browser credentials and cookies, more than 80 cryptocurrency wallet extensions, 14 password managers, and files from user directories.
Before exfiltration, the malware encrypts stolen data with AES-256-GCM, stores it in hidden ZIP archives, and uploads it to command-and-control infrastructure using libcurl.
Jamf reported that the campaign uses a fake software site registered in late June and gates downloads behind a meeting PIN.
A new macOS infostealer called CrashStealer is masquerading as Apple’s crash reporting utility to steal high-value credentials and sensitive data from compromised Macs. By targeting Keychain secrets, browser credentials, password managers, cryptocurrency wallets, and local files, the malware aims to capture the identities, authentication artifacts, and business data that attackers can leverage for broader enterprise compromise.
For organizations that manage macOS fleets, the campaign highlights a familiar challenge: legitimate-looking software and trusted installation mechanisms can reduce user suspicion while increasing the likelihood of credential theft. As attackers continue to focus on identity and endpoint data instead of destructive payloads, security teams need visibility into suspicious endpoint behavior alongside strong device and access controls to reduce the impact of a compromised workstation.
CrashStealer is engineered to resemble a legitimate macOS component to reduce suspicion during execution. The malware is distributed as an application bundle named CrashReporter.app, uses Apple-like iconography and metadata, and creates a LaunchAgent named com.apple.crashreporter.helper to blend in with legitimate system processes.
The first-stage Werkbit Setup installer was digitally signed and Apple-notarized, allowing it to pass Gatekeeper’s initial trust checks without the unidentified-developer warning that users typically see for untrusted software. After execution, CrashStealer displays a fake macOS password prompt and validates the entered password locally using the dscl command-line utility before attempting to access protected data.
Once credentials are validated, the malware collects data from multiple sources, including:
Apple Keychain secrets
Browser credentials and session cookies
Password manager artifacts
More than 80 cryptocurrency wallet extensions
Files stored in user directories
Before exfiltration, CrashStealer encrypts the stolen data using AES-256-GCM, packages it into hidden ZIP archives, and uploads it to attacker-controlled infrastructure through libcurl. This combination of trusted distribution, credential harvesting, encrypted staging, and stealthy data exfiltration makes the malware particularly effective against enterprise macOS environments.
Identity Provider Setup: What IT Teams Should Know Before Deployment
Plan a secure identity provider setup with SSO, MFA, modern authentication, and device-aware access using Hexnode.
How Hexnode Helps Reduce the Risk
A layered security approach can limit both the likelihood and impact of credential-stealing malware such as CrashStealer. Hexnode UEM helps IT teams strengthen macOS security by enforcing OS updates, FileVault encryption, device compliance policies, and application control through allowlisting and blocklisting. These controls help reduce exposure to unauthorized software and ensure corporate Macs adhere to security baselines.
Hexnode XDR and endpoint security capabilities can complement these preventive controls by helping security teams identify suspicious endpoint behavior, including:
LaunchAgent persistence indicative of unauthorized software.
Unusual process execution that deviates from expected application behavior.
Credential access attempts targeting sensitive data stores.
Hidden archive creation that may indicate data staging before exfiltration.
Suspicious outbound network activity consistent with data exfiltration attempts.
When security teams identify malicious activity, Hexnode XDR’s one-click remediation capabilities can help them respond quickly by:
Isolating the device to restrict network communication and help contain the threat.
Killing malicious processes to stop suspicious activity running on the endpoint.
Quarantining malicious files to prevent them from being accessed or executed.
Organizations can combine Hexnode UEM, Hexnode XDR, and Hexnode IdP to build layered defenses against identity-focused attacks. Hexnode IdP enables organizations to enforce identity-aware access policies so that only trusted, compliant devices can access sensitive applications and corporate resources. Even if attackers steal credentials or browser sessions, conditional access and device trust requirements can help reduce unauthorized access to business-critical resources.
Featured Resource
What makes Hexnode the go-to UEM vendor in the market?
Download to learn why you should choose Hexnode when there are other vendors in the market claiming to be better than Hexnode.
CrashStealer demonstrates that Apple notarization alone is not a guarantee of safety. Attackers can abuse trusted distribution mechanisms and convincing social engineering to deliver malware that targets enterprise credentials, session tokens, and other sensitive data. Security teams should evaluate software based on its behavior after execution, not just its installation trust signals.
To reduce the risk from modern infostealers, organizations should combine application control, continuous endpoint monitoring, credential hygiene, and rapid incident response with UEM-enforced security baselines. A layered security strategy limits initial compromise, detects suspicious activity earlier, and contains threats before attackers can use stolen credentials to gain broader access across the enterprise.
Try Hexnode free for 14 days
Protect every endpoint before malware steals credentials. See how Hexnode secures enterprise devices.
I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.