CrashStealer macOS information stealer activity
Malware Activity
Summary
Hide ▲
Show ▼
CrashStealer is a macOS information-stealing malware that was tracked in May and seen in attacks in early July. It impersonates Apple's crash-reporting tool by using a fake CrashReporter.app name, a com.apple.crashreporter.helper LaunchAgent, and a signed, Apple-notarized installer to help bypass Gatekeeper. The malware collects keychain data, browser credentials, and data from more than 80 crypto wallet extensions and 14 password managers, then encrypts exfiltrated files with AES-256-GCM before uploading them to a C2 server.
Related Happenings
CrashStealer meeting-PIN delivery campaign
Campaign
H score35
First: 13.07.2026 22:04
Last: 13.07.2026 22:04
Sources 1
How related:
Downloading the payload is gated behind a meeting PIN, which indicates a campaign limited to visitors who provide the right code.
About this happening:
The **CrashStealer** campaign is delivering a **signed, Apple-notarized installer** from a **fake software site** gated by a **meeting PIN**, narrowing infection opportunities to...
CrashStealer meeting-PIN delivery campaign
CampaignHow related: Downloading the payload is gated behind a meeting PIN, which indicates a campaign limited to visitors who provide the right code.
About this happening: The **CrashStealer** campaign is delivering a **signed, Apple-notarized installer** from a **fake software site** gated by a **meeting PIN**, narrowing infection opportunities to...
MacOS.Gaslight AI-analysis evasion malware
Malware Activity
H score22
First: 25.06.2026 19:23
Last: 25.06.2026 19:23
Sources 1
About this happening:
The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
MacOS.Gaslight AI-analysis evasion malware
Malware ActivityAbout this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
H score29
First: 25.06.2026 12:23
Last: 25.06.2026 12:23
Sources 1
About this happening:
A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware ActivityAbout this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
MacOS ClickFix Terminal-delivered DMG campaign
Campaign
H score37
First: 23.06.2026 21:30
Last: 23.06.2026 21:30
Sources 1
About this happening:
A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
MacOS ClickFix Terminal-delivered DMG campaign
CampaignAbout this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Timeline
-
13.07.2026 20:36 3 articles · 6h ago
CrashStealer macOS stealer uses a notarized dropper to pass Gatekeeper
Initial DisclosureJamf Threat Labs flagged CrashStealer as a new macOS information stealer implemented in native C++ that is distributed through a signed and Apple-notarized disk image named Werkbit.app, allowing it to pass Gatekeeper checks before staging the payload. The malware validates the victim's login password locally, unlocks the login keychain, collects browser credentials, cryptocurrency wallet data, password manager data, and keychain material, then exfiltrates the stolen archive.
Show sources
- CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks — thehackernews.com — 13.07.2026 20:36
- CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks — thehackernews.com — 13.07.2026 20:36
- New CrashStealer malware poses as Apple crash reporting tool — www.bleepingcomputer.com — 13.07.2026 22:04