Find notable cyber news and cases, enriched with sources, timelines, and signals.

CrashStealer meeting-PIN delivery campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The CrashStealer campaign is delivering a signed, Apple-notarized installer from a fake software site gated by a meeting PIN, narrowing infection opportunities to a select visitor cohort while improving stealth. The first-stage payload is Werkbit Setup, and the operation was observed in early July after tracking began in May. That access-limited delivery path makes the campaign harder to detect and more likely to reach intended targets.

Related Happenings

CrashStealer macOS information stealer activity

Malware Activity
H score10 First: 13.07.2026 20:36 Last: 13.07.2026 20:36 Sources 1

How related: A new macOS information-stealing malware called CrashStealer pretends to be Apple's crash-reporting tool to steal credentials, keychain data, and crypto wallets.

About this happening: **CrashStealer** is a **macOS information-stealing malware** that was tracked in **May** and seen in attacks in **early July**. It impersonates **Apple's crash-reporting tool** by...

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
H score34 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
H score22 First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse

Malware Activity
H score31 First: 12.02.2026 16:25 Last: 12.02.2026 16:25 Sources 1

About this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...

Timeline

  1. 13.07.2026 22:04 2 articles · 4h ago

    CrashStealer campaign uses a PIN-gated fake software site to deliver Werkbit Setup

    Initial Disclosure

    CrashStealer is a macOS information-stealing campaign that Jamf tracked in May, later observed in attacks in early July, and linked to a fake software site registered in late June. The first-stage payload, Werkbit Setup, is delivered as a signed and Apple-notarized installer, and download access is gated behind a meeting PIN to limit visitors who can retrieve it.

    Show sources