Find notable cyber news and cases, enriched with sources, timelines, and signals.

CrashStealer macOS information stealer activity

Malware Activity
First reported
Last updated
Happening score
H score 10
2 unique sources, 2 articles

Summary

Hide ▲

CrashStealer is a macOS information-stealing malware that was tracked in May and seen in attacks in early July. It impersonates Apple's crash-reporting tool by using a fake CrashReporter.app name, a com.apple.crashreporter.helper LaunchAgent, and a signed, Apple-notarized installer to help bypass Gatekeeper. The malware collects keychain data, browser credentials, and data from more than 80 crypto wallet extensions and 14 password managers, then encrypts exfiltrated files with AES-256-GCM before uploading them to a C2 server.

Related Happenings

CrashStealer meeting-PIN delivery campaign

Campaign
H score35 First: 13.07.2026 22:04 Last: 13.07.2026 22:04 Sources 1

How related: Downloading the payload is gated behind a meeting PIN, which indicates a campaign limited to visitors who provide the right code.

About this happening: The **CrashStealer** campaign is delivering a **signed, Apple-notarized installer** from a **fake software site** gated by a **meeting PIN**, narrowing infection opportunities to...

MacOS.Gaslight AI-analysis evasion malware

Malware Activity
H score22 First: 25.06.2026 19:23 Last: 25.06.2026 19:23 Sources 1

About this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Timeline

  1. 13.07.2026 20:36 3 articles · 6h ago

    CrashStealer macOS stealer uses a notarized dropper to pass Gatekeeper

    Initial Disclosure

    Jamf Threat Labs flagged CrashStealer as a new macOS information stealer implemented in native C++ that is distributed through a signed and Apple-notarized disk image named Werkbit.app, allowing it to pass Gatekeeper checks before staging the payload. The malware validates the victim's login password locally, unlocks the login keychain, collects browser credentials, cryptocurrency wallet data, password manager data, and keychain material, then exfiltrates the stolen archive.

    Show sources