New macOS Stealer Impersonates Apple’s Crash Reporter to Steal Browser Credentials

July 15, 2026 | CXO Junction

Leave a Comment / Cybersecurity, Data Protection, Enterprise Technology, Industry News / By cxojunction

Cybersecurity researchers have uncovered CrashStealer, a sophisticated macOS infostealer that disguises itself as Apple’s native crash-reporting utility to steal browser credentials, cryptocurrency wallets, password manager data, and keychain contents before securely transmitting the stolen information to a remote command-and-control server.

macOS infostealer CrashStealer disguising itself as Apple Crash Reporter to steal browser credentials and sensitive data.

First identified by Jamf on VirusTotal in early May 2026 as an unfinished malware sample, the threat matured into active deployment by July. Unlike many common Apple platform stealers that rely on AppleScript or Objective-C, it is written entirely in native C++, making it more advanced and difficult to detect. It is distributed through a signed and notarized disk image named “Werkbit Setup,” allowing it to bypass Gatekeeper before downloading a fake CrashReporter.app that closely resembles Apple’s legitimate utility.

Once executed, the malware verifies the victim’s login password, unlocks the keychain, checks for installed security software, and collects data from Chromium-based browsers, Firefox, cryptocurrency wallet extensions, password managers such as 1Password, Bitwarden, and LastPass, along with files stored in the Documents and Downloads folders. It encrypts the stolen information using AES-256-GCM, applies anti-analysis techniques to evade detection, and installs a LaunchAgent to maintain persistence even after system reboots.

Researchers also linked the campaign to active attacker infrastructure, suggesting it is part of a broader multi-platform operation rather than an isolated tool. The findings highlight the growing sophistication of threats targeting Apple devices, with attackers increasingly using advanced encryption, persistence mechanisms, and trusted application impersonation to evade security controls.

The discovery reinforces the need for organizations and users to download software only from trusted sources, strengthen endpoint security, and continuously monitor for suspicious activity. As cyber threats continue to evolve, proactive security measures and user awareness remain essential to reducing the risk of credential theft and data compromise.

CXO Junction remains dedicated to providing you with exclusive insights into transformative leadership journeys. Stay tuned for more updates as we continue to bring industry news to you.

Source: New macOS Stealer Mimics Apple’s Crash Report Framework to Steal Browser Credentials | Cyber Security News | https://cybersecuritynews.com/macos-stealer-mimics-apples-crash-report/

Latest News