1Password and Apple: New macOS Stealer Mimics Apple’s Crash Report Framework to Steal Browser Credentials

1Password and Apple: New macOS Stealer Mimics Apple’s Crash Report Framework to Steal Browser Credentials

CrashStealer: Sophisticated macOS Infostealer Mimics Apple Utilities to Steal Credentials and Crypto Wallets

In early May 2026, cybersecurity firm Jamf identified a suspicious macOS infostealer on VirusTotal, initially appearing as a work-in-progress. By July, the malware dubbed CrashStealer had evolved into an actively deployed threat, designed to harvest browser credentials, cryptocurrency wallets, password manager data, and Keychain contents before encrypting and exfiltrating the stolen information to a remote command-and-control (C2) server.

Unlike typical macOS stealers built on AppleScript or Objective-C, CrashStealer is written in native C++, leveraging an internal class called MacOSData for efficiency and stealth. Its development marks a shift toward more professionalized macOS malware, aligning with trends observed in threats like Atomic (AMOS), MacSync, and Phexia though with distinct technical advancements.

Infection Chain and Evasion Tactics

CrashStealer spreads via a signed disk image ("Werkbit Setup"), a rarity in malicious DMG campaigns, which includes a notarized application bundle to bypass Gatekeeper. Upon execution, the dropper fetches an obfuscated shell script from GitHub, decodes multiple Base64 layers, and deploys the payload disguised as "CrashReporter.app" complete with Apple’s bundle identifier and icon.

Once active, the malware:

  • Validates the victim’s login password via dscl
  • Unlocks the Keychain and profiles installed security tools
  • Targets Chromium-based browsers (Chrome, Brave, Edge, etc.) and Firefox for stored credentials
  • Steals data from ~80 cryptocurrency wallet extensions (Ethereum, Solana, Cosmos, TON, etc.)
  • Exfiltrates data from 14 password managers, including 1Password, Bitwarden, and LastPass
  • Conducts file-system reconnaissance in Documents and Downloads

Advanced Tradecraft

CrashStealer employs AES-256-GCM encryption via Apple’s CommonCrypto framework to secure stolen data before exfiltration over libcurl, a level of operational security uncommon in commodity macOS malware. Additional anti-analysis measures include control-flow flattening and anti-debugging checks, reflecting a broader trend of macOS threats adopting Windows-level sophistication.

For persistence, the malware re-signs itself and installs a LaunchAgent (com.apple.crashreporter.helper), further impersonating Apple’s legitimate utilities.

Broader Campaign Indicators

Jamf linked CrashStealer to a live operator panel and additional infrastructure domains, suggesting it is part of a multi-platform operation rather than an isolated tool. This discovery underscores the rapid maturation of macOS infostealers, with detection volumes and technical complexity rising sharply since 2025.

Source: https://cybersecuritynews.com/macos-stealer-mimics-apples-crash-report/

AppleInsider cybersecurity rating report: https://www.rankiteo.com/company/appleinsider

1Password cybersecurity rating report: https://www.rankiteo.com/company/1password

"id": "APP1PA1783967437",
"linkid": "appleinsider, 1password",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'location': 'Global',
                        'type': 'Individual users, cryptocurrency holders, '
                                'enterprises using macOS'}],
 'attack_vector': 'Malicious disk image (DMG) with signed and notarized '
                  'application bundle',
 'data_breach': {'data_encryption': 'AES-256-GCM (for exfiltrated data)',
                 'data_exfiltration': 'Yes (to remote C2 server)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Browser credentials',
                                              'Cryptocurrency wallets',
                                              'Password manager data',
                                              'Keychain contents',
                                              'Personally identifiable '
                                              'information']},
 'date_detected': '2026-05',
 'date_publicly_disclosed': '2026-07',
 'description': 'In early May 2026, cybersecurity firm Jamf identified a '
                'suspicious macOS infostealer on VirusTotal, initially '
                'appearing as a work-in-progress. By July 2026, the malware '
                'dubbed CrashStealer had evolved into an actively deployed '
                'threat, designed to harvest browser credentials, '
                'cryptocurrency wallets, password manager data, and Keychain '
                'contents before encrypting and exfiltrating the stolen '
                'information to a remote command-and-control (C2) server. '
                'Unlike typical macOS stealers built on AppleScript or '
                'Objective-C, CrashStealer is written in native C++ and '
                'leverages an internal class called MacOSData for efficiency '
                'and stealth. Its development marks a shift toward more '
                'professionalized macOS malware, aligning with trends observed '
                'in threats like Atomic (AMOS), MacSync, and Phexia.',
 'impact': {'data_compromised': 'Browser credentials, cryptocurrency wallets, '
                                'password manager data, Keychain contents, '
                                'personally identifiable information',
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High (cryptocurrency wallets)',
            'systems_affected': 'macOS systems'},
 'initial_access_broker': {'entry_point': 'Malicious disk image (DMG) with '
                                          'signed and notarized application '
                                          'bundle'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'The rapid maturation of macOS infostealers, with '
                    'increasing detection volumes and technical complexity, '
                    'highlights the need for enhanced macOS security measures '
                    'and monitoring.',
 'motivation': 'Financial gain (credential and cryptocurrency theft)',
 'post_incident_analysis': {'corrective_actions': ['Improve macOS security '
                                                   'policies to detect and '
                                                   'block signed malicious '
                                                   'applications',
                                                   'Enhance threat '
                                                   'intelligence sharing for '
                                                   'macOS-specific threats',
                                                   'Develop advanced detection '
                                                   'mechanisms for C++-based '
                                                   'malware and anti-analysis '
                                                   'techniques'],
                            'root_causes': 'Lack of user awareness, '
                                           'exploitation of macOS Gatekeeper '
                                           'bypass via signed and notarized '
                                           'malicious applications, advanced '
                                           'malware development techniques '
                                           '(C++, AES-256 encryption, '
                                           'anti-debugging)'},
 'recommendations': ['Enhance macOS security monitoring and detection '
                     'capabilities',
                     'Educate users on the risks of downloading and executing '
                     'unsigned or suspicious applications',
                     'Implement multi-factor authentication for sensitive '
                     'accounts and wallets',
                     'Regularly audit and update security tools to detect '
                     'advanced threats like CrashStealer'],
 'references': [{'date_accessed': '2026-07', 'source': 'Jamf'}],
 'response': {'third_party_assistance': 'Jamf (cybersecurity firm)'},
 'title': 'CrashStealer: Sophisticated macOS Infostealer Mimics Apple '
          'Utilities to Steal Credentials and Crypto Wallets',
 'type': 'Infostealer'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.