securityaffairs.com 7/14/2026, 8:31:43 AM · external

CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper

CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper
CyberSIXT Evidence Panel
Primary Source jamf.com

CRASHSTEALER is a new macOS infostealer identified by Jamf Threat Labs, first detected in May 2026 and observed in active deployment by July. The malware cleverly uses a signed application named Werkbit.app, which bypasses Apple's Gatekeeper security. Upon installation, it connects to a GitHub repository and executes a Base64-encoded shell script that downloads and runs the CrashStealer payload.

The infostealer targets various browsers and cryptocurrency wallets, collecting user credentials and data, which it encrypts using AES-256-GCM before transmitting. CrashStealer implements anti-analysis techniques and establishes persistence by installing a LaunchAgent. It showcases advanced evasion strategies, including using a valid Developer ID for its dropper application.

View Primary Source Via securityaffairs.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline