{"id":14280,"date":"2026-07-14T10:03:48","date_gmt":"2026-07-14T10:03:48","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/14\/new-macos-stealer-mimics-apples-crash-report-framework-to-steal-browser-credentials\/"},"modified":"2026-07-14T10:03:48","modified_gmt":"2026-07-14T10:03:48","slug":"new-macos-stealer-mimics-apples-crash-report-framework-to-steal-browser-credentials","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/14\/new-macos-stealer-mimics-apples-crash-report-framework-to-steal-browser-credentials\/","title":{"rendered":"New macOS Stealer Mimics Apple\u2019s Crash Report Framework to Steal Browser Credentials"},"content":{"rendered":"<p>    New macOS Stealer Mimics Apple\u2019s Crash Report Framework to Steal Browser Credentials<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">CrashStealer, a native C++ macOS infostealer that disguises itself as Apple\u2019s built-in crash-reporting utility to harvest browser credentials, cryptocurrency wallets, password manager data, and keychain contents before encrypting and exfiltrating everything to a remote command-and-control server.<\/p>\n<p class=\"wp-block-paragraph\">Jamf first spotted a suspicious sample on VirusTotal in early May 2026 that appeared to be an infostealer still under construction. By early July, in-the-wild detections confirmed the malware had matured into active deployment, prompting researchers to formally track it as CrashStealer.<\/p>\n<p class=\"wp-block-paragraph\">Unlike commodity macOS stealers typically built on AppleScript droppers or thin Objective-C wrappers, CrashStealer is written entirely in native C++ around an internal class called MacOSData, setting it apart from families like <a href=\"https:\/\/cybersecuritynews.com\/hackers-use-fake-tradingview-premium-posts\/\" target=\"_blank\" rel=\"noreferrer noopener\">Atomic (AMOS)<\/a>, MacSync, and Phexia despite overlapping objectives.<\/p>\n<p class=\"wp-block-paragraph\">Initial access begins with a disk image named \u201cWerkbit Setup,\u201d containing an application bundle signed with a legitimate Developer ID and a stapled notarization ticket allowing it to clear Gatekeeper on first launch.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgqWRp74qRcxOOOzQkrxFE2FtKL9DAyqPKPhGY_VKDACo2STKettDdowuC986o5l4CMLlF-EAKh4hpZO8jgET5itZKklvM-AKhTSowUVOUGH0dkm9yz6E6xwlkBPoh8e-SvHxhyjr0a6HOHJ1jzURM_02QM0JhMQCCNN19kRQp7OH7iMJINVhNbwTKIDimD\/w640-h524\/jtl-signed-dropper.webp?ssl=1\" alt=\"macOS Stealer Mimics Apple's Crash Report\"><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">This is unusual: even the disk image container itself is signed, a rare touch in malicious DMG campaigns. Once opened, the dropper quietly retrieves an obfuscated shell script from GitHub-hosted infrastructure, decodes multiple layers of Base64-encoded commands, and downloads the actual payload disguised as \u201cCrashReporter.app\u201d complete with Apple\u2019s bundle identifier <code>com.apple.crashreporter<\/code> and a matching icon.<\/p>\n<p class=\"wp-block-paragraph\">Once running, CrashStealer validates the victim\u2019s login password locally via <code>dscl<\/code>, unlocks the keychain, and profiles installed security tools before beginning collection. Its scope is extensive:<\/p>\n<ul class=\"wp-block-list\">\n<li>Chromium-family browsers (Chrome, Brave, Edge, Opera, Vivaldi) and Firefox credential stores<\/li>\n<li>Roughly 80 cryptocurrency wallet extensions spanning Ethereum, Solana, Cosmos, TON, and other ecosystems<\/li>\n<li>14 password managers including 1Password, Bitwarden, and LastPass<\/li>\n<li>The user\u2019s login keychain and broader file-system reconnaissance of Documents and Downloads<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">This breadth mirrors patterns seen across the modern macOS stealer landscape, where crypto-focused credential theft has become a dominant objective.<\/p>\n<p class=\"wp-block-paragraph\">What distinguishes CrashStealer technically is its use of client-side AES-256-GCM encryption via Apple\u2019s CommonCrypto framework to encrypt staged data before packaging it into ZIP archives and exfiltrating it over libcurl, a level of operational security not typically seen in commodity AppleScript-based stealers.<\/p>\n<p class=\"wp-block-paragraph\">This encryption-first approach, paired with anti-analysis measures like control-flow flattening and layered anti-debugging checks, reflects a broader trend of <a href=\"https:\/\/cybersecuritynews.com\/gaslight-macos-malware-uses-prompt-injection\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS malware families<\/a> professionalizing their tradecraft, a shift researchers across the industry have flagged as macOS threats evolve from opportunistic scripts into structured, business-like operations.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi-pIKAOY5KyPbKVJipPbm7XHeW6OhLD2bvOO6Z_k-QJr1uUC1K3tASKck3yE71NTI11ZOnSYngRy5dpAKMidjw8Jy8S2h9p47afMfziW19ucn28iecMMDWDNA79qIBH7SwiNCE4w841feoDpJZ-4nf3Dhvep3K-K_qqlfnkrqfq3FcR1ayTCd-Q1Miijho\/w640-h360\/Crash%2520reporter.webp?ssl=1\" alt=\"macOS Stealer Mimics Apple's Crash Report\"><\/figure>\n<p class=\"wp-block-paragraph\">For persistence, CrashStealer copies and re-signs itself ad hoc, then installs a LaunchAgent labeled <code>com.apple.crashreporter.helper<\/code> to survive reboots, continuing the Apple-impersonation theme into its persistence layer.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.jamf.com\/blog\/crashstealer-macos-infostealer-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Jamf also linked the campaign<\/a> to a live operator panel and additional infrastructure domains, suggesting CrashStealer is part of a larger, multi-platform operation rather than an isolated tool.<\/p>\n<p class=\"wp-block-paragraph\">This discovery adds to a growing body of research showing macOS infostealers rapidly closing the sophistication gap with their Windows counterparts, with detection volumes and technical complexity both climbing sharply through 2025 and into 2026.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/macos-stealer-mimics-apples-crash-report\/\">New macOS Stealer Mimics Apple\u2019s Crash Report Framework to Steal Browser Credentials<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/macos-stealer-mimics-apples-crash-report\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New macOS Stealer Mimics Apple\u2019s Crash Report Framework to Steal Browser Credentials CrashStealer, a native C++ macOS infostealer that disguises itself as Apple\u2019s built-in crash-reporting utility to harvest browser credentials, cryptocurrency wallets, password manager data, and keychain contents before encrypting and exfiltrating everything to a remote command-and-control server. Jamf first spotted a suspicious sample on [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,1495],"tags":[130],"class_list":["post-14280","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-malware-attack-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14280"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14280"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14280\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}