Apple has long promoted the Mac as a safer computing choice. Yet a fresh piece of malware shows how determined operators can turn that reputation against users. Security teams at Jamf Threat Labs uncovered CrashStealer this month. The native C++ program poses as Apple’s own crash reporting tool and quietly drains passwords, cryptocurrency wallets, and keychain secrets.
Researchers first spotted samples on VirusTotal in May. Real attacks surfaced in early July. Unlike many macOS stealers built with AppleScript or simple Objective-C layers, this one runs in compiled C++ around an internal class called MacOSData. That choice alone sets it apart. It signals a higher level of investment.
The delivery starts with care. Operators host a disk image called Werkbit Setup on a domain registered in June. Visitors need a meeting PIN to download it. Once mounted, the image displays an installation screen. Users must right-click and open the app. A signed and notarized binary named veltod carries the developer ID Emil Grigorov with team identifier WWB7JA7AQV. Gatekeeper lets it run without complaint. The Hacker News detailed how both the disk image and binary carry valid notarization tickets.
But the real work begins after launch. Veltod reaches out to a GitHub repository under the account mgothiclove. It pulls a file named sys.cache. That file contains instructions to download a shell script from endpoint-api-v1.com. The script arrives in Base64 chunks. Three successive decode steps plus cleanup prepare it for bash execution. And then the second stage arrives. A file called CrashReporter.dmg drops into the temporary directory.
CrashStealer renames itself to match Apple’s CrashReporter.app. It copies to a cache location, removes its quarantine attributes with xattr, and applies an ad-hoc code signature. The new hash helps it slip past tools watching for known bad files. Persistence comes through a LaunchAgent labeled com.apple.crashreporter.helper. The plist sets RunAtLoad to true and KeepAlive with a condition that keeps it alive even after unsuccessful exits. The malware even bundles Apple’s icon to blend in.
Before it steals anything, CrashStealer shows a password prompt styled like a legitimate macOS dialog. It validates the credential locally by calling dscl with the authonly option. Success lets it unlock the login keychain using the security command-line tool. Only then does collection begin. The program checks for analysis tools. It scans for security software and debugging utilities. If it finds signs of scrutiny, behavior changes.
Data theft covers wide ground. The stealer targets Chromium-based browsers including Chrome, Brave, Edge, Opera, Vivaldi, and Naver Whale. It grabs credentials, cookies, and IndexedDB data. Roughly 80 cryptocurrency wallet extensions fall in its sights. MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, Exodus, Keplr, Solflare, and Backpack are all listed. Password managers do not escape either. 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm are among the 14 targeted. It also copies files from Documents and Downloads folders while skipping caches, logs, trash, and large media files.
Collected material receives strong protection before it leaves the machine. Each file gets encrypted with AES-256-GCM. The key derives from PBKDF2-HMAC-SHA256 run for 10,000 iterations over a hardcoded salt. Authentication tags ensure integrity. The encrypted files stage in a hidden cache directory. A final zip archive with a random hexadecimal name packages everything. Libcurl then posts the archive to 179.43.166.242 using multipart form data. No readable script stays on disk. Strings arrive encrypted and decode at runtime.
Anti-analysis features run deep. Control-flow flattening breaks linear disassembly. Multiple anti-debug checks query sysctl for P_TRACED flags and exit with code 45 if a debugger appears. The binary resists static review through layered obfuscation. Jamf researcher Thijs Xhaflaire captured the sophistication in his report. “Unlike much of the commodity stealer activity on macOS, which is built on AppleScript droppers or thin Objective-C wrappers, CrashStealer is implemented in native C++ around an internal class the authors named MacOSData,” he wrote. “It validates the victim’s login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself.”
That attention to detail marks a shift. Many stealers grab data and phone home with little protection. CrashStealer encrypts client-side. It re-signs copies to change its hash. It impersonates system components. The dropper clears Gatekeeper. The full chain shows planning. “CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload,” the Jamf team noted in their analysis published today.
The operation stretches beyond macOS. Additional domains point to a multi-platform effort. Windows components share backend infrastructure with names like cohezo.com, icky-lyrical.com, and endpoint-api-v1.com. A dark-themed operator panel sits on one of those domains. It offers a command interface. The same backend supports other campaigns. Researchers tie the infrastructure to at least six related domains registered recently.
Broader trends make this discovery timely. Reports show macOS stealer detections rising sharply. Backdoors increased 67 percent and stealers grew 17 percent last year according to one vendor survey. Malware-as-a-service kits now dominate. Subscription models provide dashboards, support, and modular add-ons. Rust and Go appear more often in new families. Yet CrashStealer stands out for its native compilation and encryption focus.
Defenders face real challenges. The notarized dropper fools Gatekeeper. The password prompt tricks users into handing over credentials. Full Disk Access prompts can be socially engineered. The LaunchAgent survives reboots. Encryption hides data in transit. And the impersonation of CrashReporter.app could lull even cautious users. Security software must watch for unusual LaunchAgents with Apple-like names. Network monitoring should flag connections to 179.43.166.242 and the listed domains.
Apple continues to patch vulnerabilities in macOS Tahoe and Sequoia. Recent updates address issues that could expose sensitive data. But malware like this does not need a vulnerability. It relies on user action and signed binaries. The PIN-gated site adds another social engineering layer. Only targeted visitors receive the dropper.
So what comes next? Operators may refine the anti-analysis further. They could expand wallet coverage or add keylogging. The multi-platform backend suggests the group plans to hit Windows and possibly Linux with similar tools. For now, CrashStealer represents a polished example of where macOS threats head. Native code. Strong encryption. System impersonation. And a delivery chain designed to survive initial scrutiny.
Organizations running Macs in enterprise environments should review their detection rules. Home users need to treat unexpected password prompts with suspicion. And everyone should avoid opening attachments or disk images from unfamiliar sources even if Gatekeeper approves them. The malware may call itself CrashReporter. But the crash it causes belongs to the victim.


WebProNews is an iEntry Publication