Skip to main content
TechnologyJul 14, 2026· 4 min read

Signed and notarized by Apple, CrashStealer empties Macs bypassing Gatekeeper

In the early days of July, Jamf's Threat Labs began detecting a macOS infostealer in real attacks that they had been monitoring since May, when the sample first appeared on VirusTotal and still seemed to be under development. They named it CrashStealer, and it stands out from the mass of commodity infostealers by how it arrives on the Mac: through an installer regularly signed and notarized by Apple, which bypasses Gatekeeper without the slightest notice.

The first stage presents itself as Werkbit Setup, a disk image that pretends to install a meeting and collaboration app. The executable, called veltod, carries a valid Developer ID registered to Emil Grigorov and an attached notarization ticket; even the DMG is signed, a rare step in malicious distribution where the container usually remains unsigned. The download is hosted on werkbit.io, a domain registered at the end of June 2026, and is protected by a meeting PIN: the installer is served only to those arriving with the correct code, not to any random visitor or automatic scanners.

Once the package is opened, veltod contacts a GitHub repository (mgothiclove/pkeys) and retrieves a configuration file with the command to be executed via curl. From there, it downloads an obfuscated script from endpoint-api-v1.com, which in turn fetches the actual payload, CrashReporter.dmg, saves it in /tmp, remounts it in a hidden folder, removes the original signature, and re-signs it ad-hoc before launching it. Hosting the first jump on a trusted domain for developers like GitHub helps keep the initial network activity under the radar.

A fake CrashReporter asking for the password

The payload disguises itself as an Apple system component: bundle identifier com.apple.crashreporter, mimicking the icon and name of macOS's CrashReporter. Unlike the notarized dropper, however, it only carries an ad-hoc signature and is executed from a hidden directory under /private/tmp. Since crash reporting tools are already included in macOS, an externally downloaded CrashReporter.dmg is a suspicious signal in itself.

At startup, the malware displays a macOS-style password prompt, presenting it as a legitimate system authorization. The credential entered is validated locally with dscl, Apple’s Directory Service command: if it’s incorrect, the prompt reappears; if it’s correct, it unlocks the login keychain, the encrypted vault that holds Safari logins, Wi-Fi passwords, private keys, and certificates. Full disk access is requested with a rationale shown in the permission texts, presenting it as necessary "for system administration": a formulation designed to make an altogether dubious request appear ordinary.

From there, the collection expands.

Jamf found code targeting Chromium family browsers and Firefox (profiles, cookies, saved credentials, extension data), about 80 cryptocurrency wallet extensions such as MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, Exodus, and Solflare, and 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, and NordPass. A separate component scours Documents and Downloads for valuable material, deliberately skipping media files, installers, and system folders to contain the size of the archive.

Encryption of the loot and return at every login

Before exfiltration, CrashStealer encrypts the collected files in AES-256-GCM, packages them into hidden ZIP archives, and uploads them to the command and control (C2) server via libcurl. This is an unusual choice for operations of this type and, together with the native C++ implementation, is what Jamf believes sets it apart from similarly targeted families like Atomic (AMOS), MacSync, and Phexia. In older builds, the C2 address (179.43.166.242) was written in plain text in the Info.plist via an App Transport Security exception; in more recent samples, the exception has vanished, consistent with a project maturing from development to production.

Persistence is the inevitable final step: the malware copies itself under ~/Library/Caches, re-signs itself, and installs a LaunchAgent (com.apple.crashreporter.helper) that restarts it at every login. The re-signing rewrites the signature data in the binary, changing the file's hash while leaving the code intact, a detail that foils detections based on a single known hash.

After Jamf reported the Team ID, Apple revoked the signing credentials associated with the malicious app. The lookalike domains for meeting apps identified by researchers, along with a Windows installer found alongside the Mac version, indicate that CrashStealer is a piece of a broader multi-platform campaign.

This case confirms that a valid signature, notarization, and a clean Gatekeeper pass do not guarantee that software is safe. An externally downloaded CrashReporter should be treated as suspicious, given that crash reporting utilities are already included in macOS, and any unexpected meeting download should be verified with the sender. Those who launched the app and entered the password must consider the Mac compromised.