Skip to main content
Emerging ThreatsMalware & Ransomware

Malware Disguises as Apple Tool to Steal macOS Credentials

Cluttered home office desk with Mac computer displaying fake CrashReporter window.

“CrashStealer has a typical infostealer capability set,” researchers reported — but one that specifically targets password managers and more than 80 browser-based cryptocurrency wallets. The macOS threat, tracked in development since May and observed in active use in early July, poses as Apple's CrashReporter component while using notarized, signed installers and a suite of stealthy techniques to harvest high-value secrets.

Masquerade as CrashReporter.app and persistence artifacts

According to researchers at Jamf, the CrashStealer binary impersonates Apple's system component by taking the name “CrashReporter.app,” adopting the legitimate tool’s icon and metadata, and creating a LaunchAgent called “com.apple.crashreporter.helper.” The combination of a familiar filename, matching iconography, and a system-style LaunchAgent is intended to reduce user suspicion and to blend into macOS environments.

When executed, the malware displays a fake macOS password prompt designed to convince the user they are authorizing a legitimate system operation that requires administrator privileges. If the supplied password is wrong, CrashStealer validates the credential locally with the Directory Service command-line tool ‘dscl’ and returns an authentication error, prompting additional entries — behavior that mimics legitimate authentication checks and encourages persistence in entering credentials.

Notarized installer “Werkbit Setup” and Gatekeeper bypass

Jamf’s analysis identifies the initial payload carrier as a signed and Apple-notarized installer labeled “Werkbit Setup.” Because the installer is signed and notarized, Gatekeeper — macOS’s built-in anti-malware check — does not display warnings, allowing the dropper to run without the usual alerts. Jamf says the first-stage payload is hosted on a fake software site that was registered in late June and that access to the download is gated behind a meeting PIN, indicating a campaign with restricted distribution.

Targets: password managers, browsers, 80+ crypto wallets, and user files

Jamf reports CrashStealer focuses on a broad set of credentials and local secrets. The malware targets browser credentials and cookies from Chromium-based browsers and Firefox; it specifically scans for 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, Exodus, Keplr, and Solflare. The list of targeted password managers includes 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm — 14 products in total.

CrashStealer also harvests files from user directories such as Documents and Downloads while intentionally skipping large media files, installers, and system directories, indicating a focus on textual and credential-bearing artifacts rather than bulk media exfiltration.

Technical distinctives: encryption, re-signing, native C++ build, and exfiltration

Jamf distinguishes CrashStealer from other macOS infostealers (naming Atomic, MacSync, and Phexia as points of comparison) on the basis of two technical choices. First, CrashStealer encrypts stolen data client-side using AES-256-GCM before packaging it into hidden ZIP archives — an unusually strong choice for this class of malware, according to Jamf. Second, the payload is a native C++ implementation rather than a scripted or interpreted tool.

Before upload, compressed archives are transmitted to command-and-control servers using libcurl. Jamf also notes the payload performs a code re-signing operation for persistence: rewriting the code-signature data in the binary so the file’s hash changes even though its code remains unchanged. Jamf did not disclose full details of the initial distribution chain beyond the fake site and meeting PIN gate, but it emphasizes the campaign's emphasis on stealth through notarization and re-signing.

What this means for Jamf customers, security teams, and macOS users

  • Jamf customers and administrators: Jamf has published an extensive set of indicators of compromise — names, hashes, delivery infrastructure, and filesystem artifacts — that Jamf says defenders can use to detect and block the campaign.
  • Security teams and incident responders: The use of notarized installers and payload re-signing complicates detection that relies on signature or simple file-hash checks; Jamf’s emphasis on client-side encryption and hidden ZIP archives means forensic collection must capture pre-encryption artifacts and outbound network indicators.
  • macOS end users: The malware’s reliance on a convincing, native-looking password prompt and an apparently legitimate CrashReporter name underscores the risk of entering system credentials into dialogs that appear routine; Jamf’s analysis also shows the attacker’s explicit interest in password managers and browser wallet extensions.

Jamf’s timeline — tracking CrashStealer from May while it matured and observing active attacks in early July, with the initial dropper hosted on a fake site registered in late June — paints the picture of a deliberate, targeted campaign that combines social engineering with platform-level evasion. Jamf has released IoCs and artifact details for defenders; one concrete question the facts leave open is the intended audience for the meeting-PIN–gated downloads and who receives that access.

Source: BleepingComputer — New CrashStealer malware poses as Apple crash reporting tool