News thumbnail
Technology / Tue, 14 Jul 2026 LinkedIn

WARNING: New macOS Malware Impersonates Apple's Notarized Installer

Apple's notarization service is designed to scan software for known malicious content before allowing it to run without warning on macOS systems. Malware Masquerades as Apple's Crash ReporterAfter installation, CrashStealer attempts to blend into the operating system by impersonating Apple's legitimate crash-reporting utility. Once the correct password has been entered, the malware gains access to the user's macOS Keychain, Apple's encrypted credential storage system. Growing Threat to macOS UsersThe emergence of CrashStealer underscores the continued evolution of the macOS malware ecosystem. The use of trusted code signing, convincing user interface impersonation, strong encryption, and native binaries demonstrates that macOS malware is rapidly approaching the level of sophistication traditionally associated with Windows-focused threats.

A newly identified macOS information-stealing malware family, dubbed CrashStealer, is raising concerns after leveraging an Apple-notarized installer to bypass one of macOS's most important security protections. By abusing Apple's trusted software signing and notarization process, the malware is able to execute without triggering the Gatekeeper security warnings that users typically rely on to identify potentially malicious applications.

Researchers at Jamf Threat Labs, who first discovered the threat, say CrashStealer is designed to harvest a broad range of sensitive information from infected Macs, including browser credentials, macOS Keychain secrets, password manager databases, cryptocurrency wallet extensions, and user documents. Although analysts first observed samples of the malware in May 2026 while it appeared to still be under active development, the campaign became operational in early July, indicating that the malware has now matured into a fully functional information-stealing platform.

The discovery highlights a growing trend among macOS-focused cybercriminals who are increasingly investing in sophisticated malware capable of bypassing Apple's layered security model while targeting high-value financial and authentication data.

Apple Notarization Abuse Helps Malware Evade Gatekeeper

One of the most notable aspects of the campaign is its use of a signed and Apple-notarized installer known as Werkbit Setup. Apple's notarization service is designed to scan software for known malicious content before allowing it to run without warning on macOS systems. Applications that successfully pass the notarization process are generally trusted by both the operating system and end users.

By obtaining notarization for its installer, the operators behind CrashStealer effectively allow the malware to bypass Gatekeeper, the built-in macOS security feature that checks downloaded applications before they are executed. Instead of displaying the familiar security warning associated with unsigned software, the installer launches as though it were legitimate.

Security researchers have repeatedly warned that attackers continue to exploit weaknesses in software signing ecosystems. While Apple has historically revoked certificates and notarization tickets associated with malicious software after discovery, there is often a window of opportunity during which attackers can distribute malware before those certificates are invalidated.

The abuse of trusted signing infrastructure has become an increasingly common tactic across multiple operating systems because users are far more likely to trust software that appears to originate from a verified developer.

Malware Masquerades as Apple's Crash Reporter

After installation, CrashStealer attempts to blend into the operating system by impersonating Apple's legitimate crash-reporting utility.

The malware installs itself under the name CrashReporter.app, closely resembling the genuine system component responsible for collecting application crash diagnostics. To further reinforce the deception, it copies Apple's iconography and application metadata, making it difficult for users to distinguish the malicious executable from the authentic utility.

Persistence is achieved through the creation of a LaunchAgent named com.apple.crashreporter.helper, another naming convention carefully chosen to resemble legitimate Apple background services.

This type of masquerading technique has become increasingly popular among macOS malware families because most users rarely inspect LaunchAgents or background services, allowing malicious processes to remain active without attracting attention.

Fake Password Prompt Targets macOS Keychain

Once executed, CrashStealer immediately attempts to obtain elevated privileges by displaying what appears to be a legitimate macOS authentication dialog requesting the user's administrator password.

The prompt is carefully designed to resemble Apple's native password request windows, convincing victims they are authorizing a routine administrative task rather than granting malware access to sensitive information.

Rather than transmitting incorrect passwords to a remote server for verification, CrashStealer validates entered credentials locally using the macOS Directory Service command-line utility (dscl). If the supplied password is incorrect, the malware displays a realistic authentication failure and prompts the victim to try again.

This approach significantly increases the likelihood that victims will eventually enter the correct password while avoiding unnecessary communication with its command-and-control infrastructure that could alert defenders.

Once the correct password has been entered, the malware gains access to the user's macOS Keychain, Apple's encrypted credential storage system.

The Keychain may contain:

Safari usernames and passwords

Wi-Fi network credentials

Application login information

Cryptographic certificates

SSH keys

Authentication tokens

Secure Notes

Private encryption keys

Because the Keychain frequently stores credentials used across both personal and enterprise environments, compromising it can provide attackers with access to cloud services, corporate resources, and financial accounts.

Extensive Credential Theft Capabilities

Jamf's analysis shows CrashStealer extends far beyond Keychain theft.

The malware systematically searches multiple browsers for saved usernames, passwords, cookies, session tokens, and browsing data. Targeted browsers include Chromium-based applications such as Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi, as well as Mozilla Firefox.

The theft of browser cookies is particularly valuable to attackers because authenticated session cookies may allow account hijacking without requiring victims' passwords or multi-factor authentication in certain scenarios.

Researchers also found that CrashStealer aggressively targets cryptocurrency users by searching for more than 80 browser wallet extensions.

Among the supported wallets are:

MetaMask

Phantom

Coinbase Wallet

Trust Wallet

Rabby

Exodus

Keplr

Solflare

Cryptocurrency wallets remain attractive targets because stolen seed phrases, private keys, or authenticated wallet sessions can enable attackers to transfer digital assets almost immediately, with transactions often being irreversible.

Password Managers Also Targeted

CrashStealer contains dedicated functionality to locate and steal data from at least 14 popular password management applications, demonstrating a clear focus on credential theft.

The targeted password managers include:

1Password

Bitwarden

LastPass

Dashlane

Keeper

KeePassXC

NordPass

Enpass

RoboForm

Password managers often store credentials for banking platforms, enterprise systems, developer accounts, cloud infrastructure, VPN services, and personal email accounts. Successful compromise of these applications can dramatically expand an attacker's access beyond the initially infected endpoint.

File Collection Focuses on Valuable User Data

In addition to credential theft, CrashStealer searches user directories for files that may contain valuable information.

The malware specifically targets folders such as Documents and Downloads, collecting documents while intentionally avoiding large multimedia files, software installers, and protected system directories that would unnecessarily increase the size of the stolen archive or draw attention to its activity.

This selective approach suggests the malware has been optimized to maximize valuable data collection while minimizing network traffic during exfiltration.

AES-256 Encryption Sets CrashStealer Apart

One of CrashStealer's more technically interesting characteristics is the way it prepares stolen information before transmission.

Rather than sending files directly to its command-and-control server, the malware first encrypts the collected data using the AES-256-GCM encryption algorithm before compressing everything into hidden ZIP archives.

According to Jamf researchers, client-side encryption of stolen information is relatively uncommon among macOS infostealers. Encrypting data before transmission makes it significantly more difficult for network monitoring tools to inspect the contents of outbound traffic and may complicate forensic investigations if the communications are intercepted.

The encrypted archive is ultimately uploaded to the attacker's infrastructure using libcurl, a widely used networking library frequently abused by malware due to its reliability and broad protocol support.

Native C++ Implementation Enhances Stealth

Although CrashStealer shares the same overall objective as established macOS malware families such as Atomic Stealer (AMOS), MacSync, and Phexia, researchers believe it represents a distinct malware family.

Unlike many commodity infostealers that rely heavily on scripting languages or existing frameworks, CrashStealer is implemented as a native C++ application, potentially improving execution speed while reducing dependence on external components.

Researchers also noted the malware performs a self re-signing operation after installation.

Rather than modifying its malicious functionality, this process rewrites portions of the application's code-signature data, resulting in a different file hash while leaving the executable behavior unchanged. This technique can reduce the effectiveness of hash-based detection mechanisms commonly used by antivirus products and threat intelligence platforms.

Limited Distribution Suggests Highly Targeted Campaign

Jamf researchers have not yet identified the malware's complete infection chain, but evidence indicates the campaign is currently operating on a limited scale.

The notarized loader is hosted on a fraudulent software download website registered in late June. Access to the download requires visitors to enter a specific meeting PIN before the payload becomes available.

This additional access control strongly suggests the operators are selectively distributing the malware rather than exposing it to the general public. Such restrictions are commonly observed during testing phases or highly targeted campaigns aimed at specific organizations or groups of victims.

The approach also reduces the likelihood that automated malware scanners or security researchers will discover the payload before attacks begin.

Growing Threat to macOS Users

The emergence of CrashStealer underscores the continued evolution of the macOS malware ecosystem. Once viewed as a relatively niche target, Apple's desktop operating system has become increasingly attractive to financially motivated cybercriminals as enterprise adoption and cryptocurrency usage among Mac users continue to grow.

Recent years have seen a steady increase in sophisticated macOS malware families capable of bypassing security controls, abusing legitimate developer certificates, and targeting cloud credentials, cryptocurrency wallets, and password management platforms.

The use of trusted code signing, convincing user interface impersonation, strong encryption, and native binaries demonstrates that macOS malware is rapidly approaching the level of sophistication traditionally associated with Windows-focused threats.

Mitigation and Defensive Recommendations

Organizations and individual users should ensure macOS systems are kept fully updated and that Apple's XProtect and Gatekeeper protections remain enabled. However, the CrashStealer campaign illustrates that notarized applications should not automatically be considered trustworthy.

Security teams should monitor for unusual LaunchAgent entries, unexpected authentication prompts, and outbound connections to unknown infrastructure. Endpoint detection and response (EDR) solutions capable of behavioral analysis are better positioned to identify threats that successfully bypass traditional signature-based protections.

Users should also exercise caution when downloading software from unfamiliar websites, particularly those requiring invitation codes or meeting PINs before providing installers. Even when macOS reports that software is signed and notarized, verifying the legitimacy of the developer and downloading applications only from trusted vendors or the Mac App Store remains one of the most effective defenses against malware infections.

Jamf has published a comprehensive list of indicators of compromise (IOCs), including malicious filenames, cryptographic hashes, filesystem artifacts, and infrastructure details, enabling defenders to identify systems potentially affected by the CrashStealer campaign and strengthen detection capabilities against future attacks.

© All Rights Reserved.