Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

The Hacker News by The Hacker News
July 13, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJul 13, 2026Endpoint Security / Cybercrime

Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that’s capable of harvesting sensitive data from compromised systems.

Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs.

“It validates the victim’s login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself,” security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

CrashStealer is said to be distributed by means of a signed and Apple-notarized dropper that’s distributed as a disk image file named “Werkbit.app.” Because both the disk image and binary are notarized and carry a valid developer ID (“Emil Grigorov (WWB7JA7AQV)”), it passes Gatekeeper checks.

The disk image itself originates from the domain “werkbit[.]io,” which was registered in June 2026. In an interesting twist, the download is gated behind a meeting PIN, meaning the installer is served only to those site visitors who arrive with the right code rather than everyone.

The discovery of additional domains and shared backend infrastructure tied to the same operation points to CrashStealer being part of a larger, multi-platform campaign.

Once mounted, the disk image presents the user with an installation setup screen that instructs them to right-click the app and choose “Open” to get them to run it. Once launched, the “veltod” executable contacts a GitHub repository (“github.com/mgothiclove”) to retrieve a file named “sys.cache.”

The file is then used to extract a curl command and pull a shell script, which acts as a downloader to fetch and stage the next payload (“CrashReporter.dmg”) and saves it to the “/tmp” directory.

The malware, upon execution, establishes persistence as a LaunchAgent, resists analysis, presents a password prompt and validates the entered credential locally, unlocks the login keychain using the validated password, lists installed security and analysis tooling, before proceeding to collect browser data, cryptocurrency wallet extensions, password manager data, and keychain material.

The complete list of data harvested is below –

  • Credentials from Chromium-family browsers, including Google Chrome, Brave, Microsoft Edge, Opera and Opera GX, Vivaldi, Chromium, and Naver Whale
  • Roughly 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack
  • 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass and RoboForm
  • File from ~/Documents and ~/Downloads directories

The harvested data is then packaged into a ZIP archive and exfiltrated to an attacker-controlled server (“179.43.166[.]242”).

“CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload,” Jamf said.

“What sets it apart from the commodity stealer crowd is less what it collects than how it is built: client-side AES-GCM encryption of the collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings and layered anti-debugging.”



Source link

The Hacker News

The Hacker News

Next Post
HPE’s Jeremiah Jenson On ‘Net-New’ North America Sales Investment, Pricing ‘To Win’ And The Drive To Take Share

HPE’s Jeremiah Jenson On ‘Net-New’ North America Sales Investment, Pricing ‘To Win’ And The Drive To Take Share

Recommended.

ONSCREEN Joy AI Addresses Growing Senior Care Challenges, Now Available on Tablets for Greater Accessibility

ONSCREEN Joy AI Addresses Growing Senior Care Challenges, Now Available on Tablets for Greater Accessibility

March 27, 2025
The Future of the CIO: Jordi Damià, CEO of Grupo Setesca, to Speak at Info-Tech LIVE 2025 in Barcelona

The Future of the CIO: Jordi Damià, CEO of Grupo Setesca, to Speak at Info-Tech LIVE 2025 in Barcelona

October 20, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio