Close Menu
    What's Hot

    Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

    Opinion | Are Fears of American Gerontocracy Fair?

    Opinion | The Ridiculous Rise of Victor Marx

    Facebook X (Twitter) Instagram
    Trending
    • Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft
    • Opinion | Are Fears of American Gerontocracy Fair?
    • Opinion | The Ridiculous Rise of Victor Marx
    • Trump’s Cease-Fire Effectively Collapses as He Vows to Restart Blockade and Tolls
    • Opinion | The Dangerous Appeal of Cruelty
    • Satya Nadella has issued a shocking warning to companies using AI
    • Trump’s Strait of Hormuz Fee Could Double the Cost of Shipping
    • Siri AI Is Becoming Apple’s Everything Tool
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

    adminBy adminJuly 13, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananJul 13, 2026Endpoint Security / Cybercrime

    CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

    Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that’s capable of harvesting sensitive data from compromised systems.

    Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs.

    “It validates the victim’s login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself,” security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

    CrashStealer is said to be distributed by means of a signed and Apple-notarized dropper that’s distributed as a disk image file named “Werkbit.app.” Because both the disk image and binary are notarized and carry a valid developer ID (“Emil Grigorov (WWB7JA7AQV)”), it passes Gatekeeper checks.

    Cybersecurity

    The disk image itself originates from the domain “werkbit[.]io,” which was registered in June 2026. In an interesting twist, the download is gated behind a meeting PIN, meaning the installer is served only to those site visitors who arrive with the right code rather than everyone.

    The discovery of additional domains and shared backend infrastructure tied to the same operation points to CrashStealer being part of a larger, multi-platform campaign.

    Once mounted, the disk image presents the user with an installation setup screen that instructs them to right-click the app and choose “Open” to get them to run it. Once launched, the “veltod” executable contacts a GitHub repository (“github.com/mgothiclove”) to retrieve a file named “sys.cache.”

    The file is then used to extract a curl command and pull a shell script, which acts as a downloader to fetch and stage the next payload (“CrashReporter.dmg”) and saves it to the “/tmp” directory.

    The malware, upon execution, establishes persistence as a LaunchAgent, resists analysis, presents a password prompt and validates the entered credential locally, unlocks the login keychain using the validated password, lists installed security and analysis tooling, before proceeding to collect browser data, cryptocurrency wallet extensions, password manager data, and keychain material.

    The complete list of data harvested is below –

    • Credentials from Chromium-family browsers, including Google Chrome, Brave, Microsoft Edge, Opera and Opera GX, Vivaldi, Chromium, and Naver Whale
    • Roughly 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack
    • 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass and RoboForm
    • File from ~/Documents and ~/Downloads directories
    Cybersecurity

    The harvested data is then packaged into a ZIP archive and exfiltrated to an attacker-controlled server (“179.43.166[.]242”).

    “CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload,” Jamf said.

    “What sets it apart from the commodity stealer crowd is less what it collects than how it is built: client-side AES-GCM encryption of the collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings and layered anti-debugging.”

    checks CrashStealer Dropper Gatekeeper macOS Malware Notarized pass
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleAppeals Court Revives Lawsuits Tying Tylenol Use in Pregnancy to Autism and A.D.H.D.
    Next Article How MIT students are helping to prevent cyberattacks | MIT News
    admin
    • Website

    Related Posts

    Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

    July 13, 2026

    Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

    July 13, 2026

    New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

    July 13, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

    Opinion | Are Fears of American Gerontocracy Fair?

    Opinion | The Ridiculous Rise of Victor Marx

    Trump’s Cease-Fire Effectively Collapses as He Vows to Restart Blockade and Tolls

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by