216.73.216.86

CrashStealer: C++ macOS Infostealer Posing as Crash Reporter

· Published 14/07/2026 09:59

Export JSON

Essential information

Published
14/07/2026 09:59
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
crashstealer infostealer macos notarized dropper
Related entities
31 indicators, 21 observables, 1 malware

Description

A newly discovered , implemented in native C++, impersonates Apple's crash-reporting framework to harvest sensitive data. The malware is distributed through a signed and notarized dropper application that bypasses Gatekeeper, then downloads and installs the payload from attacker infrastructure. The stealer validates victim passwords locally using dscl, unlocks the login keychain, and collects browser credentials, cryptocurrency wallet extensions, password manager data, and keychain material. Collected data is encrypted using AES-GCM before being packaged into hidden ZIP archives and exfiltrated to a command-and-control server. The malware establishes persistence by copying itself to a hidden directory and installing a LaunchAgent. It employs control-flow flattening, encrypted strings, and anti-debugging techniques to resist analysis. The campaign uses GitHub for initial staging and multiple fake collaboration software domains as lures.

External references