• 2 min read
New macOS malware slips past Gatekeeper
Jamf says a notarized macOS infostealer called CrashStealer mimics Apple crash tools and steals Keychain, browser, wallet, and password data.

Image: TechRadar
A newly spotted macOS infostealer is disguising itself as an Apple crash reporting tool while slipping past Gatekeeper, according to researchers at Jamf.
The malware, dubbed CrashStealer, is written in C++ and is designed to steal login credentials, Keychain data, and information tied to more than 80 cryptocurrency wallets. Jamf said it is likely being distributed through a fake software site called “Werkbit Setup” that was only registered recently.
Victims reportedly reach the site through social media recommendations or search engine results. Before downloading, they must enter a PIN code — a step Jamf believes helps the operators avoid researcher scrutiny while making the offer seem more credible and exclusive.
The bigger concern is how the malware gets onto systems. Jamf said the payload arrives as a signed and Apple-notarized installer, packaged in a disk image named “Werkbit Setup”, allowing it to bypass Gatekeeper without triggering warnings normally shown for third-party apps.

Recommended reading
Joomla extension bugs hit CISA’s exploited list
Once launched, the installer drops a binary named CrashReporter.app and creates a LaunchAgent called com.apple.crashreporter.helper. Users are then shown a fake macOS password prompt. If they comply, the malware can unlock the user’s Keychain and exfiltrate stored secrets, including passwords and private cryptographic keys, to a third-party server.
Jamf said the malware also collects:
- Browser credentials and cookies from most browsers
- Data from 80 cryptocurrency wallet extensions
- Information from 14 password managers
- Locally stored files
According to Jamf, CrashStealer shares some overlap with other known infostealers such as AMOS, but stands out for its client-side encryption mechanism and native C++ implementation.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via TechRadar


