"It validates the victim's login password locally before harvesting," security researcher Thijs Xhaflaire said in a report shared with The Hacker News.
That sentence is a useful shorthand for the technical care embedded in a newly disclosed macOS information stealer called CrashStealer. Researchers at Jamf Threat Labs have flagged the threat as a native C++ stealer that uses an Apple-notarized, signed dropper to pass Gatekeeper checks and quietly fetch a second-stage payload that harvests a broad set of secrets from compromised machines.
Notarized dropper: Werkbit.app and a gated download
CrashStealer’s initial lure is distributed as a disk image named "Werkbit.app" that carries both notarization and a valid developer ID labeled "Emil Grigorov (WWB7JA7AQV)," allowing it to clear Apple’s Gatekeeper. Jamf Threat Labs notes the disk image originates from the domain "werkbit[.]io," which the researchers say was registered in June 2026. The site does not serve the installer to all visitors: the download is gated behind a meeting PIN, so only users who arrive with the correct code are given the installer.
The disk image presents an installation screen instructing users to right‑click the app and choose "Open" to launch it, a user-flow that helps the notarized binary execute despite macOS warnings that might otherwise deter casual clicks.
Delivery chain: veltod, GitHub, and CrashReporter.dmg
Once launched, the binary named "veltod" begins the staged fetch. Jamf’s analysis shows it contacts a GitHub repository at "github.com/mgothiclove" to retrieve a file called "sys.cache." That file is parsed to extract a curl command, which downloads a shell script. The script acts as a downloader and stages the next payload, "CrashReporter.dmg," which is saved into "/tmp" before execution.
Jamf summarizes the chain as deliberate and layered: rather than shipping an unsigned lure, the operators use a signed and notarized dropper that clears Gatekeeper and then quietly fetches, re-signs, and launches the real payload.
Data collection, encryption, and exfiltration
CrashStealer targets a broad set of assets. Jamf Threat Labs lists the complete harvest as including: credentials from Chromium-family browsers (Google Chrome, Brave, Microsoft Edge, Opera and Opera GX, Vivaldi, Chromium, and Naver Whale); roughly 80 cryptocurrency wallet extensions (including MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack); 14 password managers (including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass and RoboForm); and files from the user’s ~/Documents and ~/Downloads directories. The malware also attempts to unlock the login keychain after presenting a password prompt and validating the entered credential locally.
What it collects is bundled into a ZIP archive, encrypted client-side with AES‑GCM, and exfiltrated using libcurl to an attacker-controlled server at "179.43.166[.]242." Jamf emphasized the distinction between what CrashStealer harvests and how it is engineered, noting the client-side AES‑GCM encryption before exfiltration.
Persistence, anti-analysis measures, and architecture
CrashStealer establishes persistence on infected machines by installing itself as a LaunchAgent and by copying and re-signing its own binaries. Jamf found multiple anti-analysis techniques baked into the code: control-flow flattening, encrypted strings, and layered anti-debugging checks. The implementation is native C++, which Jamf contrasts with other macOS stealers that rely on AppleScript droppers or Objective-C wrappers.
The collection routine includes steps to list installed security and analysis tooling before proceeding, and the malware’s layered design is intended to frustrate reverse engineering and runtime inspection.
What this means for security teams, macOS administrators, and adversaries
- Security teams: Watch for signed, notarized droppers originating from unexpected domains and for binaries that contact "github.com/mgothiclove" or download files named "sys.cache" or "CrashReporter.dmg." Network detections that flag connections to "179.43.166[.]242" could also expose exfiltration attempts.
- macOS administrators and enterprises: Notarization and a valid developer ID do not guarantee benign intent; Jamf’s analysis shows a notarized dropper was used explicitly to clear Gatekeeper and stage a secondary payload that re-signs itself and persists as a LaunchAgent.
- Adversaries and operators: The discovery of additional domains and shared backend infrastructure suggests CrashStealer is one element of a larger, multi-platform campaign; the use of a meeting-PIN–gated download and the re-signing behavior shows operational care to evade broad detection.
Jamf summed the operation plainly: "CrashStealer's delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload." The specific artifacts—Werkbit.app, the developer ID "Emil Grigorov (WWB7JA7AQV)," the GitHub repository "github.com/mgothiclove," the staged "CrashReporter.dmg" in /tmp, and the exfiltration endpoint "179.43.166[.]242"—create a concrete trail for defenders to follow. They also underline a clear operational choice by the operators: leverage platform trust mechanisms and a multi-step staging process to move a powerful native C++ stealer into target systems.




