Security researchers have identified a new, sophisticated information-stealing malware targeting Apple macOS users, which they have named CrashStealer. The malware is being distributed through a targeted campaign and employs several deceptive techniques to bypass macOS security features and steal a wide range of sensitive credentials. CrashStealer is packaged in an Apple-notarized installer, allowing it to bypass the Gatekeeper security check. It then masquerades as the native macOS CrashReporter.app utility to social engineer the user into providing their system password. With this password, the malware unlocks the macOS Keychain and proceeds to exfiltrate passwords, browser data, and cryptocurrency wallet information to an attacker-controlled server.
CrashStealer represents a significant threat to macOS users due to its multi-faceted approach to evading detection and stealing data. The campaign, tracked since May 2026, appears to be highly targeted, as the malware installer (Werkbit Setup) is distributed from a fake software website that requires a PIN for access.
The core of the attack is social engineering, built on a foundation of technical deception:
CrashReporter.app, a legitimate system utility, making its request for a password seem plausible to an unsuspecting user.The attack chain for CrashStealer is as follows:
Werkbit Setup installer package.T1553.001 - Gatekeeper Bypass) and is allowed to execute.CrashReporter.app. This is a form of T1204.002 - Malicious File combined with user execution.T1555.003 - Credentials from Password Stores: Keychain.A successful CrashStealer infection can be devastating for a victim. The theft of the entire macOS Keychain gives an attacker access to a vast array of online accounts, including email, banking, and social media. The specific targeting of password managers and over 80 crypto wallets indicates a clear financial motive. Victims face not only the loss of funds from their cryptocurrency wallets but also a complete compromise of their digital identity, which can be used for further fraud, extortion, or attacks against their contacts and employer.
No specific C2 domains, IPs, or file hashes were provided in the source articles.
Security teams and users can hunt for signs of CrashStealer using the following patterns:
Werkbit Setup.pkgCrashReporter.appCrashReporter.app running from an unusual path (i.e., not /System/Library/CoreServices/) is highly suspicious.ps commandCrashReporter.app to unknown IPCrashReporter.appCrashReporter.app from unexpected directories. The legitimate binary resides in a protected system location.Training users to be suspicious of unexpected password prompts, even from seemingly legitimate applications, is the primary defense against this malware's social engineering tactic.
A reputable EDR or antivirus solution for macOS can detect the malicious payload or its behavior, providing a layer of defense beyond Apple's built-in protections.
To detect CrashStealer's masquerading technique, defenders should use an EDR or process monitoring tool on macOS to perform deep process analysis. The key is to baseline the legitimate CrashReporter.app and alert on any deviations. A detection rule should be created to trigger an alert if a process named CrashReporter.app executes from any directory other than its protected system location (/System/Library/CoreServices/). Further, any network activity originating from this process to a non-Apple IP address should be considered highly malicious and be blocked and investigated immediately. This focuses on the malware's core deception TTP.
While notarization allows CrashStealer to bypass basic Gatekeeper checks, a more stringent defense is application allowlisting. In corporate environments, security teams can configure macOS devices to only permit the execution of explicitly approved applications. This would prevent the Werkbit Setup installer from running in the first place, regardless of its notarization status. While challenging to implement in all environments, it is a highly effective control for workstations used by high-risk employees, directly preventing the initial execution of unauthorized and malicious packages.
Security researchers begin tracking the CrashStealer malware campaign.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.