logo

Crashstealer

ID: 3a55ee98-61bf-4621-97bb-2fbf1aaaecbd

STIX ID: report--3a55ee98-61bf-4621-97bb-2fbf1aaaecbd

Threat Score

75/100

Uploaded: 2026-07-13

Created by: Threat Intel Test

TLP:GREEN
...
...
CrashStealer is a native C++ macOS infostealer delivered via a signed, notarized disk-image dropper that impersonates Apple crash-reporting components; it captures login credentials (validated locally), unlocks and copies the login keychain, harvests browser profiles, ~80 wallet extensions and multiple password managers, encrypts collected data with AES-256-GCM using PBKDF2-derived keys, packages results into hidden ZIPs under ~/.cache/com.apple.crashreporter/, and exfiltrates them to a hardcoded C2 (179.43.166.242). The family employs control-flow flattening, encrypted strings, layered anti-debugging, and persists by re-signing a copy and loading a LaunchAgent; defenders can hunt for signed dropper artifacts, staging under /private/tmp/.CrashReporter and hidden .zx_*.zip archives in the cache directory as high-value indicators.