CrashStealer meeting-PIN delivery campaign
Campaign
Summary
Hide ▲
Show ▼
The CrashStealer campaign is delivering a signed, Apple-notarized installer from a fake software site gated by a meeting PIN, narrowing infection opportunities to a select visitor cohort while improving stealth. The first-stage payload is Werkbit Setup, and the operation was observed in early July after tracking began in May. That access-limited delivery path makes the campaign harder to detect and more likely to reach intended targets.
Related Happenings
CrashStealer macOS information stealer activity
Malware Activity
H score10
First: 13.07.2026 20:36
Last: 13.07.2026 20:36
Sources 1
How related:
A new macOS information-stealing malware called CrashStealer pretends to be Apple's crash-reporting tool to steal credentials, keychain data, and crypto wallets.
About this happening:
**CrashStealer** is a **macOS information-stealing malware** that was tracked in **May** and seen in attacks in **early July**. It impersonates **Apple's crash-reporting tool** by...
CrashStealer macOS information stealer activity
Malware ActivityHow related: A new macOS information-stealing malware called CrashStealer pretends to be Apple's crash-reporting tool to steal credentials, keychain data, and crypto wallets.
About this happening: **CrashStealer** is a **macOS information-stealing malware** that was tracked in **May** and seen in attacks in **early July**. It impersonates **Apple's crash-reporting tool** by...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
H score34
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
H score22
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
About this happening:
**MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisAbout this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
H score31
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...
Timeline
-
13.07.2026 22:04 2 articles · 4h ago
CrashStealer campaign uses a PIN-gated fake software site to deliver Werkbit Setup
Initial DisclosureCrashStealer is a macOS information-stealing campaign that Jamf tracked in May, later observed in attacks in early July, and linked to a fake software site registered in late June. The first-stage payload, Werkbit Setup, is delivered as a signed and Apple-notarized installer, and download access is gated behind a meeting PIN to limit visitors who can retrieve it.
Show sources
- New CrashStealer malware poses as Apple crash reporting tool — www.bleepingcomputer.com — 13.07.2026 22:04
- New CrashStealer malware poses as Apple crash reporting tool — www.bleepingcomputer.com — 13.07.2026 22:04