CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks 12%

By Ravie Lakshmanan23%

7/13/2026, 5:36:00 PM

BS Summary: This article contains 4 faulty reasoning types, including Hasty Generalization, Confirmation Bias, and Anchoring Bias, with Negativity Bias as the most egregious example at 34.9% saturation with 178 hits. Analysis detected 269 faulty-reasoning hits from 510 analyzed words, generating a BS Score of 29.2% and a BS Rank of 12% (13,469 of 15,282 articles). This article is better (less manipulative) than 88.10% of the article peer group.

Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that's capable of harvesting sensitive data from compromised systems. 
Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. 
"It validates the victim's login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself," security researcher Thijs Xhaflaire said in a report shared with The Hacker News. 
CrashStealer is said to be distributed by means of a signed and Apple-notarized dropper that's distributed as a disk image file named "Werkbit.app." 
Because both the disk image and binary are notarized and carry a valid developer ID ("Emil Grigorov (WWB7JA7AQV)"), it passes Gatekeeper checks. 
The disk image itself originates from the domain "werkbit[.]io," which was registered in June 2026. 
In an interesting twist, the download is gated behind a meeting PIN, meaning the installer is served only to those site visitors who arrive with the right code rather than everyone. 
The discovery of additional domains and shared backend infrastructure tied to the same operation points to CrashStealer being part of a larger, multi-platform campaign. 
Once mounted, the disk image presents the user with an installation setup screen that instructs them to right-click the app and choose "Open" to get them to run it. 
Once launched, the "veltod" executable contacts a GitHub repository ("github.com/mgothiclove") to retrieve a file named "sys.cache." 
The file is then used to extract a curl command and pull a shell script, which acts as a downloader to fetch and stage the next payload ("CrashReporter.dmg") and saves it to the "/tmp" directory. 
The malware, upon execution, establishes persistence as a LaunchAgent, resists analysis, presents a password prompt and validates the entered credential locally, unlocks the login keychain using the validated password, lists installed security and analysis tooling, before proceeding to collect browser data, cryptocurrency wallet extensions, password manager data, and keychain material. 
The complete list of data harvested is below - 
Credentials from Chromium-family browsers, including Google Chrome, Brave, Microsoft Edge, Opera and Opera GX, Vivaldi, Chromium, and Naver Whale 
Roughly 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack 
14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass and RoboForm 
File from ~/Documents and ~/Downloads directories 
The harvested data is then packaged into a ZIP archive and exfiltrated to an attacker-controlled server ("179.43.166[.] 
242"). 
"CrashStealer's delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload," Jamf said. 
"What sets it apart from the commodity stealer crowd is less what it collects than how it is built: client-side AES-GCM encryption of the collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings and layered anti-debugging." 
Confirmation Bias
4.7%
Anchoring Bias
3.7%
Availability Heuristic
0%
Representativeness Heuristic
0%
Hindsight Bias
0%
Overconfidence Bias
0%
Framing Effect
0%
Loss Aversion
0%
Status Quo Bias
0%
Sunk Cost Effect
0%
Optimism Bias
0%
Pessimism Bias
0%
Negativity Bias
34.9%
Self-Serving Bias
0%
Fundamental Attribution Error
0%
Actor-Observer Bias
0%
In-Group Bias
0%
Out-Group Homogeneity Bias
0%
Halo Effect
0%
Horn Effect
0%
Dunning-Kruger Effect
0%
Recency Bias
0%
Primacy Effect
0%
Blind-Spot Bias
0%
Ad Hominem
0%
Straw Man
0%
Appeal to Authority
0%
False Dilemma
0%
Slippery Slope
0%
Circular Reasoning
0%
Hasty Generalization
9.4%
Red Herring
0%
Bandwagon
0%
Appeal to Emotion
0%
Begging the Question
0%
Post Hoc (False Cause)
0%
Tu Quoque
0%
Burden of Proof
0%
Appeal to Nature
0%
Composition/Division
0%
Anecdotal
0%
No True Scotsman
0%
Ambiguity (Equivocation)
0%
Gambler’s Fallacy
0%
Middle Ground
0%
Personal Incredulity
0%
Special Pleading
0%
Genetic Fallacy
0%
Unattributed Quote
0%
Quote-first Misdirection
0%
Biased Writer Voice
0%
Indoctrination
0%
Politically Left Leaning Bias
0%
Politically Right Leaning Bias
0%
Attempt to Sell a Product or Service
0%

510 words analyzed.

Speakers

2speakers25%attributed speech384writer words
Voice mapSelect a segment to jump to its words
Selected voice

Jamf Threat Labs

100%flagged-word coverage
76 attributed words60% of attributed speech44% writer coverage

No manipulation-pattern hits were found in this speaker's attributed words or the writer's voice.

Attribution is sentence-level. Pattern percentages are calculated only from words assigned to that voice.

Analysis

Hover over highlighted words in the article to view the associated bias or fallacy analysis.