Home/ Blog/ Security news/ Article
Blog · Security news

Notarized by Apple, still malware: the CrashStealer Mac stealer

CrashStealer is a macOS info-stealer that Apple notarized, so Gatekeeper cleared it on launch before it drained keychains, browser logins and crypto wallets.

Embossed circular seal on a smooth container that is hollow inside

Apple's notarization is widely read as a safety verdict: if a Mac app is notarized, the thinking goes, Apple checked it and it is fine to run. That is not what notarization means, and a macOS info-stealer called CrashStealer is the clean proof. It arrives inside a disk image named Werkbit Setup, signed with a real Apple Developer ID and carrying a valid, stapled notarization ticket, so Apple's Gatekeeper check passes it on first launch without a warning. Then it empties the login keychain, browser logins, 14 password managers and more than 80 crypto wallet extensions. Nothing about the signature was forged. That is the whole problem.

Jamf Threat Labs flagged the sample from a VirusTotal upload earlier this year and published its analysis on July 13, with in-the-wild detections reported by early July, according to Security Affairs and The Hacker News. The notable part is not another stealer. It is that the operator paid for trust and got it.

What notarization actually checks

Notarization is an automated pipeline. When a developer uploads a signed app, Apple's service scans it for known malware and confirms the code signing is correct, then issues a ticket the developer staples to the app. There is no human security review, no audit of what the app does, and no judgment about intent. It answers one narrow question: does this binary match anything Apple already knows is bad? A fresh, never-seen stealer signed by a valid developer account answers that question with a clean no and sails through.

So notarization is a known-bad filter, not a trust badge. Gatekeeper enforces it, which means Gatekeeper is only as strong as that filter. CrashStealer did not defeat Gatekeeper. It satisfied it.

How CrashStealer clears the check

The dropper carries a real Apple Developer ID issued in the name Emil Grigorov (WWB7JA7AQV), plus a stapled notarization ticket, which is why it clears Gatekeeper the first time a victim opens it. As is common with abused developer certificates, that identity may have been stolen or fraudulently enrolled rather than belonging to the author. Its second-stage payload is only ad-hoc signed and would fail that check on its own, but by then the trusted front door is already open. Most Mac stealers are AppleScript wrappers driven through osascript; this one is a native C++ binary that locks up what it grabs using AES-256-GCM under Apple's own CommonCrypto. Distribution is a fake meeting client. The Werkbit.app installer hides behind a meeting PIN on the domain werkbit[.]io, stood up in June 2026, so it never lands in front of a casual scanner.

What CrashStealer grabs in one run
80+
crypto wallet extensions targeted
MetaMask, Phantom, Coinbase, Trust Wallet and more
14
password managers raided
1Password, Bitwarden, LastPass, Dashlane, KeePassXC
1
valid Apple Developer ID that cleared Gatekeeper
a real, notarized signature, not a forged one
Source: Jamf Threat Labs and Security Affairs, July 2026

The haul is wide. It reads saved logins out of Chromium browsers and Firefox, lifts the macOS login keychain, and works through the roughly 80 wallet extensions and 14 password managers shown above. The specific brands matter less than the reach: anyone who ran it should treat every secret on that machine as gone.

The genuine signature is also the fastest way to kill it

Here is the part the coverage underplays. Because the Developer ID is real and named rather than forged, Apple holds the off switch. Apple can revoke that certificate and its notarization, and once it does, Gatekeeper will refuse that exact build on any Mac that checks in. Neither Jamf nor the outlets reporting on it said Apple had revoked the signature at the time of writing, which makes reporting the certificate to Apple product security a concrete action rather than a formality. Treat a currently valid signature as not blocked yet, never as permanent trust.

Detection moves from is it signed to what is it doing

Signature-based allowlisting is exactly the control CrashStealer is built to walk past, so the hunt has to be behavioral. The highest-signal tell is a process not signed by Apple that reads the login keychain and browser credential stores. For persistence it plants a LaunchAgent inside ~/Library/LaunchAgents, giving it the file name com.apple.crashreporter.helper.plist so it reads as Apple's own crash reporter, which is how the malware earned its name. Its payloads come down from a GitHub repository, and stolen data goes out to a hardcoded address, both listed below.

Where to lookWhat CrashStealer leaves behind
LaunchAgent persistenceLaunchAgent com.apple.crashreporter.helper.plist under ~/Library/LaunchAgents, impersonating Apple's crash reporter
DeliveryDisk image Werkbit Setup carrying Werkbit.app, pulled from werkbit[.]io (domain created June 2026)
Payload pull and C2GitHub repo mgothiclove/pkeys; second stage fetched over cleartext HTTP; exfil to 179.43.166[.]242
Code signingNotarized, signed under Apple Developer ID Emil Grigorov (WWB7JA7AQV)
BehaviorA non-Apple binary reading the login keychain plus Chromium and Firefox credential stores
CrashStealer host indicators and hunt signals. Source: Jamf Threat Labs, July 2026.

One detail matters for tooling: because CrashStealer runs as native C++ rather than AppleScript, detections tuned to catch osascript abuse, the usual macOS stealer signature, will miss it. This is the kind of activity a managed detection practice is meant to catch, where the alert fires on the keychain read and the impersonating LaunchAgent, not on the signature.

Signed and trusted is the soft spot now

CrashStealer is one instance of a pattern we keep writing up: attackers buying the platform's own trust signals instead of breaking them. We saw it when a fake 7-Zip installer rented servers out as residential proxies while file scans stayed quiet, and again with a Mac backdoor built to fool the tool inspecting it. Trusted software-update channels get abused the same way, as with the plugin that shipped clean and backdoored sites through its paid update. The common thread is that trusted by the platform is where most defenses stop looking, so that is where the payload now hides. A signed and notarized macOS binary that steals wallets is that thread reaching Apple's gate.

Report the certificate, then hunt for keychain reads

If you run Macs, do three things this week. Block werkbit[.]io and the listed indicators, and pull any host that ran Werkbit.app for review. Alert on new LaunchAgents that borrow an Apple bundle identifier and on non-Apple processes touching the login keychain. Report the Emil Grigorov (WWB7JA7AQV) certificate to Apple so the notarization can be revoked. Then rotate every credential and wallet seed for any machine that opened the app, because by the time you are reading the logs, the data is already gone.

Topics

Frequently asked questions

What is CrashStealer?

CrashStealer is a macOS info-stealer detailed by Jamf Threat Labs in July 2026. It poses as a meeting app called Werkbit and steals the login keychain, browser passwords, 14 password managers and more than 80 cryptocurrency wallet extensions from the Mac it runs on.

How did CrashStealer get past Apple's Gatekeeper?

Its dropper carries a genuine Apple Developer ID and a valid, stapled notarization ticket, so Gatekeeper clears it on first launch. Nothing was forged. The malware satisfied the check rather than defeating it, because notarization scans for known malware, not new threats.

Does Apple notarization mean an app is safe?

No. Notarization is an automated check that an app is not already known malware and is signed correctly. It is not a human security review and makes no judgment about what the app does. A brand-new stealer with a valid developer account passes it.

How do I detect CrashStealer on a Mac?

Hunt behavior, not signatures. Look for a non-Apple process reading the login keychain and browser credential stores, and a LaunchAgent named com.apple.crashreporter.helper that impersonates Apple's crash reporter. Watch for outbound traffic to the hardcoded server at 179.43.166.242.

What should I do if I installed the Werkbit app?

Assume every credential on that Mac is compromised. Remove Werkbit.app and its LaunchAgent, then rotate all passwords, session tokens and cryptocurrency wallet seed phrases from a clean device. Block werkbit.io and report the developer certificate to Apple so the notarization can be revoked.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.