Cybersecurity researchers have identified a new macOS malware strain called CrashStealer that uses deceptive tactics to steal sensitive user data. The malware reaches victims through a signed and Apple-notarized meeting application before installing a fake system utility that mimics Apple’s crash-reporting software.
Researchers at Jamf Threat Labs first detected the malware in early May. They later linked it to a notarized application called Werkbit, which attackers used as the first stage of the infection. Although the app passed Apple’s Gatekeeper security checks, Apple revoked its developer credentials after receiving Jamf’s findings.

Fake Apple Tool Tricks Users
CrashStealer does not infect Macs automatically. Instead, victims must download the fake meeting app, launch it, and enter their Mac password when prompted. The malware then installs a counterfeit application called CrashReporter, designed to resemble a genuine macOS component.
The fake password window closely matches Apple’s authorization prompt. However, it secretly captures the user’s password instead of requesting legitimate system access. After verifying the password locally, the malware unlocks the Mac’s login keychain and begins collecting sensitive information.
Wide Range of Data at Risk
CrashStealer targets far more than passwords. It searches popular browsers for saved logins, cookies, browsing profiles, and extension data. Additionally, it looks for cryptocurrency wallet extensions and password managers such as 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, and NordPass. The malware also scans user folders for valuable documents before encrypting stolen files into hidden archives.
Researchers also discovered Windows versions of the malware campaign. Consequently, they believe the attackers operate a broader cross-platform operation instead of focusing only on Mac users.
How Users Can Stay Protected
Jamf advises Mac users to avoid unexpected downloads named CrashReporter.dmg because Apple’s crash-reporting tools already come with macOS. Furthermore, users should verify invitations to unfamiliar meeting apps, even if the software appears signed or notarized by Apple.
If someone enters a password into the fake prompt, experts recommend disconnecting the Mac from the internet immediately. Users should then change important passwords, review Apple Account security, revoke active sessions, inspect Full Disk Access permissions, and reinstall macOS if necessary. Researchers warn that deleting the downloaded file alone will not remove the infection because CrashStealer installs persistent background components that automatically restart after login.











