A new macOS-infostealer, identified as CrashStealer, is targeting Apple computers by masquerading as a legitimate crash‑reporting utility.
The malicious program presents itself as “CrashReporter.app,” complete with an authentic‑looking Apple icon and metadata, and is signed and notarized to appear trustworthy.
Distribution occurs through a counterfeit software website that promotes a fictitious meeting platform, requiring a PIN before allowing the installer to run. The campaign relies on social engineering to convince users to add the payload to their devices.
When executed, CrashStealer displays a prompt that mimics a macOS authorization request, asking for the user’s system password. The prompt repeats until the correct credential is entered, after which the malware validates the password locally.
With the acquired password, the malware unlocks the user’s Keychain, granting access to encrypted data such as Wi‑Fi credentials, application passwords, certificates, and authentication tokens.
The infostealer then harvests additional information, including files from the Documents and Downloads folders, credentials and cookies from Firefox and Chromium‑based browsers, data from fourteen popular password managers, and extensions linked to cryptocurrency wallets.
Collected data is encrypted, placed in a hidden ZIP archive, and transmitted to remote servers controlled by the attackers.
Users are advised to verify the legitimacy of any software before installation, avoid downloading applications from untrusted sources, and recognize that Apple diagnostics do not require password authentication. Maintaining vigilance against unsolicited credential prompts can help prevent infection.





