CrashStealer Malware Targets Mac Users via Notarized Apps

A sophisticated new information-stealing malware dubbed CrashStealer has emerged as a significant threat to macOS users, effectively bypassing Apple’s security protocols. Detected in active attacks since July 2026, the malicious software disguises itself as a legitimate application named “Werkbit,” leveraging a valid Apple Developer ID and notarization to evade Gatekeeper protections. Once executed, the malware mimics Apple’s native CrashReporter utility to deceive users into providing their system login passwords. This allows the threat actor to harvest sensitive Keychain data, browser credentials, password managers, and cryptocurrency wallets, posing a severe risk to both personal and financial security on compromised Mac devices.
- The CrashStealer malware utilizes valid Apple-notarized certificates to bypass standard macOS security warnings during installation.
- The threat actor mimics the official Apple CrashReporter interface to illicitly obtain administrative passwords from unsuspecting users.
- Collected sensitive information, including Keychain databases and crypto wallet keys, is encrypted and exfiltrated to remote attacker-controlled servers.
- The malware maintains persistence by creating hidden LaunchAgents that ensure it restarts automatically after every system reboot.
The Malware Mimics Apple’s Official CrashReporter Tools
The infiltration begins through a deceptive website disguised as a professional collaboration platform. Users are prompted to download a disk image, which contains the malicious payload signed by a developer certificate registered under the name “Emil Grigorov.” Because the file is notarized by Apple, it circumvents the traditional security checks that usually alert users to unverified software. 
Once the application is triggered, it initiates a multi-stage infection process. It silently downloads secondary scripts that are obfuscated with multiple layers of Base64 encoding. These scripts deploy the core “CrashReporter.app” component, which is designed to look and behave like a legitimate system maintenance tool, complete with forged bundle identifiers and icons.
The malware specifically targets the user’s login password by presenting a fake authentication prompt that claims to be required for system stability and error reporting.
Critical Data Remains at High Risk of Theft
By successfully capturing the Mac login password, the malware gains the ability to unlock the user’s Keychain database. This gives the attacker access to a wide array of sensitive data, including stored Safari passwords, Wi-Fi credentials, and private cryptographic keys. 
Furthermore, the malware is programmed to scrape data from a variety of Chromium-based browsers, including Google Chrome, Brave, and Microsoft Edge, as well as Firefox. It also targets nearly 80 different cryptocurrency wallet extensions, such as MetaMask, Phantom, and Coinbase Wallet, while simultaneously harvesting data from popular password management tools like 1Password and Bitwarden.
To avoid detection, the collected data is encrypted using AES-256-GCM before being exfiltrated to the attackers’ command-and-control servers. The malware also employs advanced anti-debugging techniques, actively checking for the presence of security software or analysis tools that might expose its operation.
Users Must Take Immediate Protective Actions
Security experts advise users who have interacted with “Werkbit” or similar suspicious installers to act immediately. Affected individuals should change their account passwords from a separate, clean device and enable multi-factor authentication across all sensitive accounts. If cryptocurrency keys were stored on the compromised machine, those assets should be considered compromised and transferred to a new, secure wallet immediately.
Have you ever encountered suspicious software that mimicked legitimate system tools, or do you have tips for identifying these sophisticated threats? Share your experiences and security insights in the comments section below to help keep our community safe.
Your comment has been submitted,
it will be published after approval.