CrashStealer macOS Malware Evades Gatekeeper Using Notarized Dropper

Jamf Threat Labs discovers new macOS stealer using signed and notarized dropper to bypass Gatekeeper protections

CSBadmin
2 Min Read

Cybersecurity researchers at Jamf Threat Labs have identified a new macOS information stealer, tracked as CrashStealer, that bypasses Apple’s Gatekeeper protections through the use of a signed and notarized dropper.

Unlike typical macOS stealers that rely on AppleScript or Objective-C wrappers, CrashStealer is written in native C++. It validates the victim’s login password locally before harvesting sensitive data, collects broadly across browsers, cryptocurrency wallets, password managers, and the system keychain, and encrypts exfiltrated data using AES-GCM before transmitting it over libcurl.

The malware is distributed as a disk image named “Werkbit.app,” which is properly signed with a valid Apple Developer ID and notarized — allowing it to pass Gatekeeper checks without triggering warnings. The dropper originates from the domain werkbit[.]io, which was registered in June 2026, and downloads are gated behind a meeting PIN to restrict access.

Once installed, CrashStealer establishes persistence as a LaunchAgent, resists analysis through control-flow flattening and encrypted strings, and proceeds to harvest credentials from Chromium-based browsers, roughly 80 cryptocurrency wallet extensions including MetaMask and Phantom, 14 password managers including 1Password and Bitwarden, and files from key system directories.

“CrashStealer’s delivery chain shows real care,” Jamf noted. “Rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload.”

The discovery of additional domains and shared backend infrastructure suggests CrashStealer is part of a larger, multi-platform campaign. Organizations using macOS should review their endpoint detection rules for the indicators detailed in Jamf’s full analysis.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.