'CrashStealer' macOS Malware Steals Keychain and Crypto Wallet Data

New 'CrashStealer' macOS Malware Bypasses Security to Steal Passwords

HIGH
July 16, 2026
4m read
MalwarePhishingOther

Related Entities

Organizations

Products & Tech

macOSGatekeeperKeychain

Other

CrashStealer

Full Report

Executive Summary

Security researchers have identified a new, sophisticated information-stealing malware targeting Apple macOS users, which they have named CrashStealer. The malware is being distributed through a targeted campaign and employs several deceptive techniques to bypass macOS security features and steal a wide range of sensitive credentials. CrashStealer is packaged in an Apple-notarized installer, allowing it to bypass the Gatekeeper security check. It then masquerades as the native macOS CrashReporter.app utility to social engineer the user into providing their system password. With this password, the malware unlocks the macOS Keychain and proceeds to exfiltrate passwords, browser data, and cryptocurrency wallet information to an attacker-controlled server.


Threat Overview

CrashStealer represents a significant threat to macOS users due to its multi-faceted approach to evading detection and stealing data. The campaign, tracked since May 2026, appears to be highly targeted, as the malware installer (Werkbit Setup) is distributed from a fake software website that requires a PIN for access.

The core of the attack is social engineering, built on a foundation of technical deception:

  • Gatekeeper Bypass: By using an Apple-notarized installer, the malware is initially trusted by macOS, allowing it to run without security warnings.
  • Masquerading: It impersonates CrashReporter.app, a legitimate system utility, making its request for a password seem plausible to an unsuspecting user.
  • Credential Theft: It targets the central password repository on macOS, the Keychain, enabling wholesale theft of stored credentials.

Technical Analysis

The attack chain for CrashStealer is as follows:

  1. Distribution: The victim is lured to a fake software site and downloads the Werkbit Setup installer package.
  2. Initial Execution: Because the installer is notarized by Apple, it bypasses Gatekeeper (T1553.001 - Gatekeeper Bypass) and is allowed to execute.
  3. Social Engineering: The malware runs and presents a fake, but realistic, macOS password prompt, claiming to be from CrashReporter.app. This is a form of T1204.002 - Malicious File combined with user execution.
  4. Keychain Access: If the user enters their password, CrashStealer uses it to unlock the macOS Keychain, gaining access to all stored secrets. This aligns with T1555.003 - Credentials from Password Stores: Keychain.
  5. Collection: The malware systematically steals:
    • Browser credentials and cookies.
    • Data from at least 14 password manager applications (e.g., 1Password, LastPass).
    • Files and data from over 80 different cryptocurrency wallet extensions.
  6. Exfiltration: All collected data is encrypted and sent to a command-and-control (C2) server.

Impact Assessment

A successful CrashStealer infection can be devastating for a victim. The theft of the entire macOS Keychain gives an attacker access to a vast array of online accounts, including email, banking, and social media. The specific targeting of password managers and over 80 crypto wallets indicates a clear financial motive. Victims face not only the loss of funds from their cryptocurrency wallets but also a complete compromise of their digital identity, which can be used for further fraud, extortion, or attacks against their contacts and employer.

IOCs — Directly from Articles

No specific C2 domains, IPs, or file hashes were provided in the source articles.


Cyber Observables — Hunting Hints

Security teams and users can hunt for signs of CrashStealer using the following patterns:

Type
file_name
Value
Werkbit Setup.pkg
Description
The name of the malicious installer package.
Context
Downloads Folder, File System Search
Type
process_name
Value
CrashReporter.app
Description
An instance of CrashReporter.app running from an unusual path (i.e., not /System/Library/CoreServices/) is highly suspicious.
Context
Activity Monitor, ps command
Type
network_traffic_pattern
Value
Outbound connection from CrashReporter.app to unknown IP
Description
The legitimate CrashReporter sends data to Apple. Connections to non-Apple domains are a red flag.
Context
Firewall Logs, Network Monitoring Tools
Type
other
Value
Unexpected password prompt from CrashReporter.app
Description
A password prompt from this application when no application has visibly crashed is a key indicator of the social engineering attempt.
Context
User Observation

Detection & Response

  1. Process Monitoring: Use an EDR or process monitoring tool on macOS to alert on executions of CrashReporter.app from unexpected directories. The legitimate binary resides in a protected system location.
  2. Network Monitoring: Analyze outbound network connections from suspicious processes. Any connection from a process masquerading as a system utility to a non-standard or non-Apple domain should be blocked and investigated.
  3. User Education: Inform users to be extremely wary of unexpected system password prompts, even if they appear to come from a legitimate macOS application. Instruct them to deny the request and report it to security if they are not actively installing software or changing a system setting.

Mitigation

  1. Scrutinize Software Sources: Only download software from the official Mac App Store or directly from the websites of trusted, well-known developers. Avoid downloading software from third-party aggregators or links sent via email.
  2. Principle of Least Privilege: Operate from a non-administrator account for daily tasks. While this malware uses social engineering to get the password, not running as an admin can limit the scope of some malicious actions.
  3. Endpoint Protection: Use a reputable third-party antivirus or EDR solution for macOS. While Gatekeeper is a strong defense, threats like CrashStealer demonstrate that it can be bypassed, and layered defenses are necessary.
  4. Password Manager Best Practices: For users of password managers, ensure the master password is not the same as the system login password. This can provide a layer of separation if the system password is compromised.

Timeline of Events

1
May 1, 2026
Security researchers begin tracking the CrashStealer malware campaign.
2
July 16, 2026
This article was published

MITRE ATT&CK Mitigations

Training users to be suspicious of unexpected password prompts, even from seemingly legitimate applications, is the primary defense against this malware's social engineering tactic.

A reputable EDR or antivirus solution for macOS can detect the malicious payload or its behavior, providing a layer of defense beyond Apple's built-in protections.

Mapped D3FEND Techniques:

In managed environments, using application allowlisting to prevent the execution of unauthorized software like 'Werkbit Setup' can be an effective preventative control.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

To detect CrashStealer's masquerading technique, defenders should use an EDR or process monitoring tool on macOS to perform deep process analysis. The key is to baseline the legitimate CrashReporter.app and alert on any deviations. A detection rule should be created to trigger an alert if a process named CrashReporter.app executes from any directory other than its protected system location (/System/Library/CoreServices/). Further, any network activity originating from this process to a non-Apple IP address should be considered highly malicious and be blocked and investigated immediately. This focuses on the malware's core deception TTP.

While notarization allows CrashStealer to bypass basic Gatekeeper checks, a more stringent defense is application allowlisting. In corporate environments, security teams can configure macOS devices to only permit the execution of explicitly approved applications. This would prevent the Werkbit Setup installer from running in the first place, regardless of its notarization status. While challenging to implement in all environments, it is a highly effective control for workstations used by high-risk employees, directly preventing the initial execution of unauthorized and malicious packages.

Timeline of Events

1
May 1, 2026

Security researchers begin tracking the CrashStealer malware campaign.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

MalwaremacOSCrashStealerInfostealerGatekeeperKeychainCryptocurrency

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.