CrashStealer macOS Malware Bypasses Gatekeeper with Notarized Dropper

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- CrashStealer is a macOS information stealer written in native C++ — unlike AppleScript- or Objective-C-based stealers — and was flagged by Jamf Threat Labs researcher Thijs Xhaflaire.
- The malware is distributed via a signed and Apple-notarized disk image ("Werkbit.app") from werkbit[.]io, registered June 2026 under the developer ID "Emil Grigorov (WWB7JA7AQV)," allowing it to clear Gatekeeper checks.
- The download is gated behind a meeting PIN, meaning the installer is served only to visitors arriving with the correct code, suggesting a targeted rather than mass-distributed campaign.
- The "veltod" executable contacts a GitHub repository (github.com/mgothiclove) to retrieve a file called "sys.cache," which extracts a curl command that fetches a shell script to stage the next payload ("CrashReporter.dmg") in /tmp.
- CrashStealer validates the victim's login password locally, unlocks the login keychain, enumerates installed security tooling, and harvests data from Chromium-family browsers, roughly 80 cryptocurrency wallet extensions (MetaMask, Phantom, Coinbase, Trust Wallet, etc.), 14 password managers (1Password, Bitwarden, LastPass, Dashlane, etc.), and files from ~/Documents and ~/Downloads.
- Harvested data is encrypted client-side with AES-GCM, zipped, and exfiltrated over libcurl to the attacker-controlled server at 179.43.166[.]242.
- Jamf Threat Labs said additional domains and shared backend infrastructure tie CrashStealer to a broader, multi-platform operation, with analysis resistance built in via control-flow flattening, encrypted strings, and layered anti-debugging.
Why it matters: CrashStealer demonstrates that Apple's notarization and Gatekeeper — supposed trust gates for macOS software — can be cleared by a patiently assembled delivery chain, putting every Mac user whose login password it captures at risk of drained crypto wallets and compromised password vaults. Because the installer is PIN-gated and the dropper is properly signed and notarized, the operation points to a resourced actor running a multi-platform campaign rather than a commodity spray.



