Cybersecurity researchers have identified a new macOS information stealer called crashstealer It is capable of collecting sensitive data from compromised systems.
According to Jamf Threat Labs, unlike other information stealers built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++.
“It validates the victim’s login passwords locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and Keychains, encrypts what it collects with AES-GCM before infiltrating libcurl, and continues by copying and re-signing itself,” security researcher Thijs Zaffler said in a report shared with The Hacker News.
CrashStealer is said to be distributed via a signed and Apple-notarized dropper that is distributed as a disk image file named “Workbit.app”. Because both the disk image and the binary are notarized and contain a valid developer ID (“Emil Grigorov (WWB7JA7AQV)”), it passes Gatekeeper checks.
The disk image itself is generated from the domain “workbit”[.]io,” which was registered in June 2026. In an interesting twist, the download is placed behind a meeting pin, meaning the installer is only served to site visitors who come with the correct code instead of everyone else.
The discovery of additional domains and shared backend infrastructure linked to the same operation points to CrashStealer being part of a larger, multi-platform campaign.
Once mounted, the disk image presents the user with an installation setup screen that instructs them to right-click on the app and select “Open” to run it. Once launched, the “weltod” executable contacts the GitHub repository (“github.com/mgothiclove”) to retrieve a file named “sys.cache”.
The file is then used to extract the curl command and pull the shell script, which acts as the downloader to fetch and stage the next payload (“CrashReporter.dmg”) and save it to the “/tmp” directory.
The malware, upon execution, establishes persistence as a LaunchAgent, resists analysis, presents a password prompt and validates entered credentials locally, unlocks the login Keychain using a valid password, enumerates installed security and analysis tooling before proceeding to collect browser data, cryptocurrency wallet extensions, password manager data and Keychain content.
The full list of data collected is below –
- Credentials from Chromium-family browsers, including Google Chrome, Brave, Microsoft Edge, Opera and Opera GX, Vivaldi, Chromium, and Naver Whale
- Nearly 80 cryptocurrency wallet extensions including MetaMask, Fantom, Coinbase, Trust Wallet, Rabbi, OKEx Wallet, Exodus, KPLR, Soulflare, and Backpack
- 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeepPassXC, NordPass, NPass, and RoboForm.
- File from ~/Documents and ~/Downloads directories
The collected data is then packed into a zip archive and sent to an attacker-controlled server (“179.43.166[.]242”).
“CrashStealer’s delivery chain shows real care: Instead of a bare, unsigned lure, operators counter the attack with a signed and notarized dropper that clears the gatekeeper before silently fetching, re-signing, and launching the payload,” Jamf said.
“What sets it apart from the crowd of commodity stealers is less what it collects than the way it’s built: client-side AES-GCM encryption of collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings, and layered anti-debugging.”