Researchers have unearthed an Apple macOS malware campaign hidden behind a well-designed veneer of credibility, which uses an unexpected attack vector, namely application crash reporting.
Security vendor Jamf posted a detailed technical analysis of the CrashStealer malware that it first came across in May this year, with further samples being collected at a later stage.
CrashStealer masquerades as a collaboration app, Werkbit, which has a corporate website claiming several well-known legitimate brands as users of its software; however, the site was only registered in late June.
For the installation of CrashStealer, the attackers created a PIN-gated Werkbit.dmg disk image that users were asked to download to further add legitimacy to the process.
The Werkbit disk image is in fact a dropper with an executable, veltod, that quietly fetches a malicious payload from an attacker-controlled GitHub repository that leads to further files from other delivery points being downloaded.
Werkbit doesn't provide any collaboration or meeting functionality, and its different components are designed to slow down forensic analysis.
The attackers have gone through the trouble of registering an Apple developer account under the name "Emil Grigorov" to sign and notarise the downloaded malware, to clear the macOS Gatekeeper protection tool so as not to set off system alerts.
Apple has revoked the signing credentials associated with the malicious application after Jamf shared its findings with the tech giant's security team.
Notarisation is not equivalent to vetting the software in question in this context.
Mimics macOS built-in crash reporting tool
Jamf found the operational strings arrive as three successive layers of Base64 encoding that are decoded at runtime and cleaned up with a character filter, before the assembled script is piped straight to the shell.
That single design choice means a defender inspecting the filesystem afterwards finds no plaintext script anywhere in the chain, only Base64 noise until the moment of execution.
That decoded script stages the real payload, a file called CrashReporter.dmg, inside a hidden folder in /tmp.
CrashStealer's payload impersonates Apple's own crash-reporting component for macOS down to its bundle identifier, its icon and a LaunchAgent named com.apple.crashreporter.helper.
When it runs, CrashStealer displays a fake macOS password prompt, with explanatory text its developer wrote to make broad system access sound like routine maintenance.
The prompt checks the entered password locally against the operating system's own dscl command to verify user accounts, before accepting it, rejecting wrong guesses and asking again rather than logging an obvious failure, again to be stealthy.
A correct password unlocks the Mac's login keychain, which CrashStealer copies into a hidden staging folder alongside a targeted sweep of Documents, Downloads and similar folders, while deliberately skipping caches, logs and bulky media files to keep its haul small and quiet.
CrashStealer attempts to steal sensitive information such as browser passwords and cookies, as well as Apple Keychain data.
It also targets cryptocurrency wallets, password managers and other credentials; if successfully found, CrashStealer would follow the now-standard modus operandi of encrypting credentials before exfiltrating them.
Jamf's analysis of CrashStealer suggests a professional development approach with native macOS binaries (the malware uses the Universal format, for both Intel x86 and Apple Silicon).
The attackers are also impersonating trusted Apple components and services, and iterating malware before deployment, while honing their social engineering techniques.
Jamf also discovered five different lookalike domains to Werkbit, suggesting the attackers are setting up infrastructure for continued campaigns which include Microsoft Windows variants of the infostealer.

iTnews State of Data & AI Breakfast
Forrester's AI Forum Sydney
The 2026 iAwards
Integrate 2026
Security Exhibition & Conference



