CrashStealer: C++ macOS Infostealer Posing as Crash Reporter
Essential information
- Published
- 14/07/2026 09:59
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- crashstealer infostealer macos notarized dropper
- Related entities
- 31 indicators, 21 observables, 1 malware
Description
A newly discovered macOS infostealer, implemented in native C++, impersonates Apple's crash-reporting framework to harvest sensitive data. The malware is distributed through a signed and notarized dropper application that bypasses Gatekeeper, then downloads and installs the payload from attacker infrastructure. The stealer validates victim passwords locally using dscl, unlocks the login keychain, and collects browser credentials, cryptocurrency wallet extensions, password manager data, and keychain material. Collected data is encrypted using AES-GCM before being packaged into hidden ZIP archives and exfiltrated to a command-and-control server. The malware establishes persistence by copying itself to a hidden directory and installing a LaunchAgent. It employs control-flow flattening, encrypted strings, and anti-debugging techniques to resist analysis. The campaign uses GitHub for initial staging and multiple fake collaboration software domains as lures.