برمجية "كراش ستيلر" الخبيثة تتظاهر بأنها أداة من آبل لسرقة كلمات المرور وبيانات ماك

13 يوليو 2026·آبل إنسايدر
برمجية "كراش ستيلر" الخبيثة تتظاهر بأنها أداة من آبل لسرقة كلمات المرور وبيانات ماك
CrashStealer, a newly documented Mac infostealer, used an Apple-notarized meeting app to reach victims before stealing passwords, browser data and cryptocurrency credentials behind a fake system prompt.

CrashStealer fake password prompt

Jamf Threat Labs first spotted a suspicious sample on VirusTotal in early May and began seeing matching detections on customer Macs in early July. Further analysis traced the malware to a signed and Apple-notarized first-stage application called Werkbit, giving researchers a clearer view of how the campaign reached victims.

Werkbit carried a valid Developer ID associated with Emil Grigorov and passed Gatekeeper without an unidentified-developer warning. Apple has since revoked the signing credentials associated with the malicious application after Jamf shared its findings with the company's security team.

Jamf found no zero-click stage in the samples it analyzed. A victim still had to download and launch Werkbit, allow the delivery chain to run and enter a valid Mac password before CrashStealer could reach its most valuable targets.


Continue Reading on AppleInsider | Discuss on our Forums
CrashStealermacmalware
الخبر متوفّر باللغات التالية:English
المصدر الأصلي للخبر
آبل إنسايدر

'CrashStealer' malware poses as an Apple tool to steal passwords & Mac data

July 13, 2026·AppleInsider
'CrashStealer' malware poses as an Apple tool to steal passwords & Mac data
CrashStealer, a newly documented Mac infostealer, used an Apple-notarized meeting app to reach victims before stealing passwords, browser data and cryptocurrency credentials behind a fake system prompt.

CrashStealer fake password prompt

Jamf Threat Labs first spotted a suspicious sample on VirusTotal in early May and began seeing matching detections on customer Macs in early July. Further analysis traced the malware to a signed and Apple-notarized first-stage application called Werkbit, giving researchers a clearer view of how the campaign reached victims.

Werkbit carried a valid Developer ID associated with Emil Grigorov and passed Gatekeeper without an unidentified-developer warning. Apple has since revoked the signing credentials associated with the malicious application after Jamf shared its findings with the company's security team.

Jamf found no zero-click stage in the samples it analyzed. A victim still had to download and launch Werkbit, allow the delivery chain to run and enter a valid Mac password before CrashStealer could reach its most valuable targets.


Continue Reading on AppleInsider | Discuss on our Forums
CrashStealermacmalware
Original source article
AppleInsider