Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

New macOS Infostealer CrashStealer Utilizes Signed Apps to Evade Gatekeeper Security



New macOS infostealer CrashStealer has been discovered by Jamf Threat Labs, utilizing signed apps to bypass Gatekeeper security. The malware targets a wide range of applications and services, employs client-side encryption, and utilizes layered anti-debugging to evade detection. This sophisticated threat requires immediate attention from users and defenders alike.

  • CrashStealer is a sophisticated macOS infostealer that has been in use since early May 2026.
  • The malware bypasses Gatekeeper using signed apps, allowing unauthorized access to sensitive data.
  • The initial access vector is through a disk image called "Werkbit Setup" containing the malicious app Werkbit.app.
  • CrashStealer targets various applications and services, including browsers, password managers, and cryptocurrency wallets.
  • The malware employs analysis resistance techniques such as control-flow flattening and client-side encryption to evade detection.
  • CrashStealer persists on infected devices by copying itself to user libraries and installing a LaunchAgent.



  • A new threat actor, known as Jamf Threat Labs, has discovered a sophisticated and highly effective macOS infostealer called CrashStealer. The malware, which has been identified as being in use since early May 2026, utilizes signed apps to bypass the Gatekeeper security mechanism on Apple devices, allowing it to gain unauthorized access to sensitive data.

    According to reports from Jamf Threat Labs, the initial access vector for CrashStealer is through a disk image called "Werkbit Setup," which contains a single application named Werkbit.app. The app is signed with a valid Apple Developer ID and carries a notarization ticket, meaning it clears Gatekeeper on first launch without any warning.

    Upon launching the malicious app, CrashStealer queries the GitHub API to fetch a file called sys.cache from a repository at mgothiclove/pkeys. This cached data contains a curl command that pulls a shell script from endpoint-api-v1[.]com, which is then piped directly to bash for execution.

    The malware targets a wide range of applications and services, including Chromium-based browsers, Firefox credential stores, cryptocurrency wallet browser extensions, password managers, and more. It also runs a file searcher across user directories that skips executables, disk images, large archive formats, and media files to keep the collected set small and relevant.

    What sets CrashStealer apart from other macOS stealers is its emphasis on analysis resistance through control-flow flattening, encrypted strings, and layered anti-debugging. The malware also employs client-side AES-GCM encryption of the collected files, making it more difficult for defenders to detect and analyze the stolen data.

    To persist on infected devices, CrashStealer copies itself to user Library/Caches/com.apple.crashreporter/CrashReporter.app, re-signs the copy ad-hoc, and installs a LaunchAgent at user Library/LaunchAgents/com.apple.crashreporter.helper.plist. This allows the malware to remain resident across reboots.

    In conclusion, CrashStealer is a highly sophisticated and effective macOS infostealer that has been in use since early May 2026. Its emphasis on analysis resistance and client-side encryption make it more difficult for defenders to detect and analyze the stolen data. As with any malware, users are advised to exercise caution when installing signed apps and to keep their operating system and software up-to-date with the latest security patches.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-macOS-Infostealer-CrashStealer-Utilizes-Signed-Apps-to-Evade-Gatekeeper-Security-ehn.shtml

  • https://securityaffairs.com/195278/malware/crashstealer-new-macos-infostealer-uses-signed-apps-to-evade-gatekeeper.html


  • Published: Wed Jul 15 06:06:49 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us