CrashStealer macOS info stealer uses signed dropper
🛡️ Jamf Threat Labs discovered a new native C++ macOS information stealer named CrashStealer that harvests credentials, browser data, cryptocurrency wallet extensions, password manager entries, and keychain material. The campaign uses a signed and Apple-notarized disk image dropper served from a gated site and persists via LaunchAgent after re-signing itself. Collected files are AES-GCM encrypted before exfiltration to an attacker-controlled server, and the malware employs multiple analysis-resistance techniques.
