CrashStealer: C++ macOS Infostealer Posing as Crash Reporter
CrashStealer is a macOS infostealer malware written in native C++ that impersonates Apple's crash-reporting framework to steal sensitive user data. It is distributed via a signed and notarized dropper application that bypasses Gatekeeper protections. The malware locally validates victim passwords, unlocks the login keychain, and collects browser credentials, cryptocurrency wallet extensions, password manager data, and keychain contents. Data is encrypted with AES-GCM, packaged into hidden ZIP archives, and exfiltrated to a command-and-control server. Persistence is achieved by copying itself to a hidden directory and installing a LaunchAgent. The malware uses anti-analysis techniques including control-flow flattening, encrypted strings, and anti-debugging. Initial staging uses GitHub, and the campaign employs fake collaboration software domains as lures.
AI Analysis
Technical Summary
CrashStealer is a newly identified macOS infostealer implemented in native C++. It masquerades as Apple's crash-reporting framework to harvest sensitive information from infected systems. The malware is delivered through a signed and notarized dropper application, allowing it to bypass macOS Gatekeeper security. Once executed, it validates user passwords locally using dscl, unlocks the login keychain, and collects a variety of sensitive data including browser credentials, cryptocurrency wallet extensions, password manager data, and keychain material. The stolen data is encrypted using AES-GCM and stored in hidden ZIP archives before being exfiltrated to a remote command-and-control server. To maintain persistence, CrashStealer copies itself to a hidden directory and installs a LaunchAgent. It employs advanced evasion techniques such as control-flow flattening, encrypted strings, and anti-debugging to resist reverse engineering and analysis. The campaign uses GitHub for initial payload staging and multiple fake collaboration software domains as social engineering lures.
Potential Impact
The malware compromises user confidentiality by stealing sensitive credentials and keychain data, including browser passwords, cryptocurrency wallet extensions, and password manager information. This can lead to unauthorized access to user accounts, financial theft, and further compromise of the victim's environment. The use of a signed and notarized dropper allows the malware to bypass macOS Gatekeeper protections, increasing the likelihood of successful infection. Persistence mechanisms enable long-term access to compromised systems.
Mitigation Recommendations
No official patch or remediation is indicated in the available data. Since the malware uses a signed and notarized dropper to bypass Gatekeeper, users should exercise caution when installing software, even if signed. Employ endpoint protection solutions capable of detecting malicious behavior and monitor for suspicious LaunchAgent installations and hidden directories. Restrict use of administrative privileges and consider using multi-factor authentication to protect sensitive accounts. Review and revoke any suspicious access or credentials if compromise is suspected. Check vendor advisories and security community updates for any emerging detection or removal tools.
Indicators of Compromise
- domain: cohezo.com
- domain: werknova.co
- domain: endpoint-api-v1.com
- url: https://endpoint-api-v1.com/login
- domain: werkbit.io
- hash: ed33a3c8d9e861515623a73b27ea4913
- hash: 8063358813c37992cfe3fcd92038a0334c14353d
- hash: 08801f81960cd8c1077b4aa2e8124840d56a272842fdcc73263c9968e787e0bd
- hash: 09bd60ce11ee4324e2052a439a08676e31aac787edda3f9bd02325390b5db2d2
- hash: 3a9d703ba7f7564399365db7ab8b04238806ef7a53df0b6822f32b80bf0f5a80
- hash: 4ed199e27a4dc193468569b221b19180e5ae95cab8df84d92e082b68d33672f5
- hash: 5bb675af9c403896d5f31611cf42304cf482d16f6f3ab6a868a9aa853aa5c179
- hash: 81ef05cc4d07cd22cd7cd7099f278dd9b9a3ae8ad4770b3d387892e1c6cfb7d7
- hash: 88334ea00ff94a366cd2a9283a508b97c269839894fddfe91913f3d92e95b6ab
- hash: a1966a6d6f54a025f30d55571d21d6537977ca73ffa734c13494b9c806cd7007
- hash: f3857c0b84a24b7fc912d55f8b14c67c23d5837b1a6932164d5d62273d4affeb
- hash: fba5bbe87fa351eedf2f3c16653cc9e4196d73604529bb50a609e2d3ebf1828b
- url: http://endpoint-api-v1.com/d/f1b24e/download
- url: https://cohezo.com/calendar/0f4df3a7-5914-4245-a616-311ca554ee0c
- url: https://cohezo.io/download?invite=OX-3SEY-64KI
- url: https://collabox.uk/calendar/1cdf0e32-9ba0-4be5-8823-39a2e6364a20
- url: https://cordinex.io/download?invite=MZ-AB95-QD50
- url: https://endpoint-api-v1.com/d/f1b24e
- url: https://icky-lyrical.com
- url: https://icky-lyrical.com/api/download?access_code=
- url: https://icky-lyrical.com/storage/secure/Cohezo/windows/small/69cf7d0ea7cfd/cohezo_setup.msi
- url: https://icky-lyrical.com/storage/secure/werkbit/mac
- url: https://werkbit.io
- url: https://werknova.co/calendar/90f99c64-9fcc-451c-bae1-0b095c04e5c8
- domain: cohezo.io
- domain: collabox.uk
- domain: cordinex.io
- domain: icky-lyrical.com
CrashStealer: C++ macOS Infostealer Posing as Crash Reporter
Description
CrashStealer is a macOS infostealer malware written in native C++ that impersonates Apple's crash-reporting framework to steal sensitive user data. It is distributed via a signed and notarized dropper application that bypasses Gatekeeper protections. The malware locally validates victim passwords, unlocks the login keychain, and collects browser credentials, cryptocurrency wallet extensions, password manager data, and keychain contents. Data is encrypted with AES-GCM, packaged into hidden ZIP archives, and exfiltrated to a command-and-control server. Persistence is achieved by copying itself to a hidden directory and installing a LaunchAgent. The malware uses anti-analysis techniques including control-flow flattening, encrypted strings, and anti-debugging. Initial staging uses GitHub, and the campaign employs fake collaboration software domains as lures.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CrashStealer is a newly identified macOS infostealer implemented in native C++. It masquerades as Apple's crash-reporting framework to harvest sensitive information from infected systems. The malware is delivered through a signed and notarized dropper application, allowing it to bypass macOS Gatekeeper security. Once executed, it validates user passwords locally using dscl, unlocks the login keychain, and collects a variety of sensitive data including browser credentials, cryptocurrency wallet extensions, password manager data, and keychain material. The stolen data is encrypted using AES-GCM and stored in hidden ZIP archives before being exfiltrated to a remote command-and-control server. To maintain persistence, CrashStealer copies itself to a hidden directory and installs a LaunchAgent. It employs advanced evasion techniques such as control-flow flattening, encrypted strings, and anti-debugging to resist reverse engineering and analysis. The campaign uses GitHub for initial payload staging and multiple fake collaboration software domains as social engineering lures.
Potential Impact
The malware compromises user confidentiality by stealing sensitive credentials and keychain data, including browser passwords, cryptocurrency wallet extensions, and password manager information. This can lead to unauthorized access to user accounts, financial theft, and further compromise of the victim's environment. The use of a signed and notarized dropper allows the malware to bypass macOS Gatekeeper protections, increasing the likelihood of successful infection. Persistence mechanisms enable long-term access to compromised systems.
Mitigation Recommendations
No official patch or remediation is indicated in the available data. Since the malware uses a signed and notarized dropper to bypass Gatekeeper, users should exercise caution when installing software, even if signed. Employ endpoint protection solutions capable of detecting malicious behavior and monitor for suspicious LaunchAgent installations and hidden directories. Restrict use of administrative privileges and consider using multi-factor authentication to protect sensitive accounts. Review and revoke any suspicious access or credentials if compromise is suspected. Check vendor advisories and security community updates for any emerging detection or removal tools.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.jamf.com/blog/crashstealer-macos-infostealer-analysis/"]
- Adversary
- null
- Pulse Id
- 6a55ec60c2d64907df771c4c
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincohezo.com | — | |
domainwerknova.co | — | |
domainendpoint-api-v1.com | — | |
domainwerkbit.io | — | |
domaincohezo.io | — | |
domaincollabox.uk | — | |
domaincordinex.io | — | |
domainicky-lyrical.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://endpoint-api-v1.com/login | — | |
urlhttp://endpoint-api-v1.com/d/f1b24e/download | — | |
urlhttps://cohezo.com/calendar/0f4df3a7-5914-4245-a616-311ca554ee0c | — | |
urlhttps://cohezo.io/download?invite=OX-3SEY-64KI | — | |
urlhttps://collabox.uk/calendar/1cdf0e32-9ba0-4be5-8823-39a2e6364a20 | — | |
urlhttps://cordinex.io/download?invite=MZ-AB95-QD50 | — | |
urlhttps://endpoint-api-v1.com/d/f1b24e | — | |
urlhttps://icky-lyrical.com | — | |
urlhttps://icky-lyrical.com/api/download?access_code= | — | |
urlhttps://icky-lyrical.com/storage/secure/Cohezo/windows/small/69cf7d0ea7cfd/cohezo_setup.msi | — | |
urlhttps://icky-lyrical.com/storage/secure/werkbit/mac | — | |
urlhttps://werkbit.io | — | |
urlhttps://werknova.co/calendar/90f99c64-9fcc-451c-bae1-0b095c04e5c8 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashed33a3c8d9e861515623a73b27ea4913 | — | |
hash8063358813c37992cfe3fcd92038a0334c14353d | — | |
hash08801f81960cd8c1077b4aa2e8124840d56a272842fdcc73263c9968e787e0bd | — | |
hash09bd60ce11ee4324e2052a439a08676e31aac787edda3f9bd02325390b5db2d2 | — | |
hash3a9d703ba7f7564399365db7ab8b04238806ef7a53df0b6822f32b80bf0f5a80 | — | |
hash4ed199e27a4dc193468569b221b19180e5ae95cab8df84d92e082b68d33672f5 | — | |
hash5bb675af9c403896d5f31611cf42304cf482d16f6f3ab6a868a9aa853aa5c179 | — | |
hash81ef05cc4d07cd22cd7cd7099f278dd9b9a3ae8ad4770b3d387892e1c6cfb7d7 | — | |
hash88334ea00ff94a366cd2a9283a508b97c269839894fddfe91913f3d92e95b6ab | — | |
hasha1966a6d6f54a025f30d55571d21d6537977ca73ffa734c13494b9c806cd7007 | — | |
hashf3857c0b84a24b7fc912d55f8b14c67c23d5837b1a6932164d5d62273d4affeb | — | |
hashfba5bbe87fa351eedf2f3c16653cc9e4196d73604529bb50a609e2d3ebf1828b | — |
Threat ID: 6a5605be68715ace4340f419
Added to database: 07/14/2026, 09:47:42 UTC
Last enriched: 07/14/2026, 10:04:00 UTC
Last updated: 07/15/2026, 02:52:44 UTC
Views: 36
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.