Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CrashStealer: C++ macOS Infostealer Posing as Crash Reporter

0
Medium
Published: 07/14/2026 (07/14/2026, 07:59:28 UTC)
Source: AlienVault OTX General

Description

CrashStealer is a macOS infostealer malware written in native C++ that impersonates Apple's crash-reporting framework to steal sensitive user data. It is distributed via a signed and notarized dropper application that bypasses Gatekeeper protections. The malware locally validates victim passwords, unlocks the login keychain, and collects browser credentials, cryptocurrency wallet extensions, password manager data, and keychain contents. Data is encrypted with AES-GCM, packaged into hidden ZIP archives, and exfiltrated to a command-and-control server. Persistence is achieved by copying itself to a hidden directory and installing a LaunchAgent. The malware uses anti-analysis techniques including control-flow flattening, encrypted strings, and anti-debugging. Initial staging uses GitHub, and the campaign employs fake collaboration software domains as lures.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 10:04:00 UTC

Technical Analysis

CrashStealer is a newly identified macOS infostealer implemented in native C++. It masquerades as Apple's crash-reporting framework to harvest sensitive information from infected systems. The malware is delivered through a signed and notarized dropper application, allowing it to bypass macOS Gatekeeper security. Once executed, it validates user passwords locally using dscl, unlocks the login keychain, and collects a variety of sensitive data including browser credentials, cryptocurrency wallet extensions, password manager data, and keychain material. The stolen data is encrypted using AES-GCM and stored in hidden ZIP archives before being exfiltrated to a remote command-and-control server. To maintain persistence, CrashStealer copies itself to a hidden directory and installs a LaunchAgent. It employs advanced evasion techniques such as control-flow flattening, encrypted strings, and anti-debugging to resist reverse engineering and analysis. The campaign uses GitHub for initial payload staging and multiple fake collaboration software domains as social engineering lures.

Potential Impact

The malware compromises user confidentiality by stealing sensitive credentials and keychain data, including browser passwords, cryptocurrency wallet extensions, and password manager information. This can lead to unauthorized access to user accounts, financial theft, and further compromise of the victim's environment. The use of a signed and notarized dropper allows the malware to bypass macOS Gatekeeper protections, increasing the likelihood of successful infection. Persistence mechanisms enable long-term access to compromised systems.

Mitigation Recommendations

No official patch or remediation is indicated in the available data. Since the malware uses a signed and notarized dropper to bypass Gatekeeper, users should exercise caution when installing software, even if signed. Employ endpoint protection solutions capable of detecting malicious behavior and monitor for suspicious LaunchAgent installations and hidden directories. Restrict use of administrative privileges and consider using multi-factor authentication to protect sensitive accounts. Review and revoke any suspicious access or credentials if compromise is suspected. Check vendor advisories and security community updates for any emerging detection or removal tools.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.jamf.com/blog/crashstealer-macos-infostealer-analysis/"]
Adversary
null
Pulse Id
6a55ec60c2d64907df771c4c
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domaincohezo.com
domainwerknova.co
domainendpoint-api-v1.com
domainwerkbit.io
domaincohezo.io
domaincollabox.uk
domaincordinex.io
domainicky-lyrical.com

Url

ValueDescriptionCopy
urlhttps://endpoint-api-v1.com/login
urlhttp://endpoint-api-v1.com/d/f1b24e/download
urlhttps://cohezo.com/calendar/0f4df3a7-5914-4245-a616-311ca554ee0c
urlhttps://cohezo.io/download?invite=OX-3SEY-64KI
urlhttps://collabox.uk/calendar/1cdf0e32-9ba0-4be5-8823-39a2e6364a20
urlhttps://cordinex.io/download?invite=MZ-AB95-QD50
urlhttps://endpoint-api-v1.com/d/f1b24e
urlhttps://icky-lyrical.com
urlhttps://icky-lyrical.com/api/download?access_code=
urlhttps://icky-lyrical.com/storage/secure/Cohezo/windows/small/69cf7d0ea7cfd/cohezo_setup.msi
urlhttps://icky-lyrical.com/storage/secure/werkbit/mac
urlhttps://werkbit.io
urlhttps://werknova.co/calendar/90f99c64-9fcc-451c-bae1-0b095c04e5c8

Hash

ValueDescriptionCopy
hashed33a3c8d9e861515623a73b27ea4913
hash8063358813c37992cfe3fcd92038a0334c14353d
hash08801f81960cd8c1077b4aa2e8124840d56a272842fdcc73263c9968e787e0bd
hash09bd60ce11ee4324e2052a439a08676e31aac787edda3f9bd02325390b5db2d2
hash3a9d703ba7f7564399365db7ab8b04238806ef7a53df0b6822f32b80bf0f5a80
hash4ed199e27a4dc193468569b221b19180e5ae95cab8df84d92e082b68d33672f5
hash5bb675af9c403896d5f31611cf42304cf482d16f6f3ab6a868a9aa853aa5c179
hash81ef05cc4d07cd22cd7cd7099f278dd9b9a3ae8ad4770b3d387892e1c6cfb7d7
hash88334ea00ff94a366cd2a9283a508b97c269839894fddfe91913f3d92e95b6ab
hasha1966a6d6f54a025f30d55571d21d6537977ca73ffa734c13494b9c806cd7007
hashf3857c0b84a24b7fc912d55f8b14c67c23d5837b1a6932164d5d62273d4affeb
hashfba5bbe87fa351eedf2f3c16653cc9e4196d73604529bb50a609e2d3ebf1828b

Threat ID: 6a5605be68715ace4340f419

Added to database: 07/14/2026, 09:47:42 UTC

Last enriched: 07/14/2026, 10:04:00 UTC

Last updated: 07/15/2026, 02:52:44 UTC

Views: 36

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses