Skip to content
feed: live
>_ 0dayNews
apple

Notarized Werkbit.app carries CrashStealer past Gatekeeper

Jamf flagged CrashStealer, a native-C++ macOS infostealer arriving inside Werkbit.app — Apple-notarized and gated behind a meeting PIN.

Notarized Werkbit.app carries CrashStealer past Gatekeeper
Image: 0dayNews / 0dayNews Editorial · All rights reserved
fuse Marisol "Fuse" Delgado · Published · 4 min read

Jamf Threat Labs’ Thijs Xhaflaire has documented CrashStealer, a native-C++ macOS infostealer arriving on target machines inside a signed, Apple-notarized disk image called Werkbit.app. The dropper’s Developer ID belongs to Emil Grigorov (WWB7JA7AQV), the download domain werkbit[.]io was registered in late June 2026, and the download itself is gated behind a meeting PIN — this is a targeted delivery, not a spray. BleepingComputer picked up the report the same day.

The reason this matters more than “another Mac stealer”: the dropper walks past Gatekeeper on a valid, current Apple notarization. The trust chain most Mac fleets rely on to say “yes, right-click-open this” is doing what it advertised and clearing this file. CrashStealer isn’t defeating notarization; it is being carried by it.

The mechanics

The Werkbit.app disk image is what the user opens. Both the .dmg and the binary inside — a helper named veltod — are Apple-notarized under the Grigorov Developer ID. Once running, veltod reaches a GitHub repo under github[.]com/mgothiclove and pulls a sys.cache file that contains a curl command; that curl fetches a shell script, which stages the next payload as CrashReporter.dmg under /tmp. That’s the “Apple crash reporting tool” impersonation — the payload borrows the name after Gatekeeper has already been cleared. Persistence lands as a LaunchAgent, and the payload copies and re-signs itself to survive.

Before any of that, CrashStealer pops a password prompt and validates the entered password locally, then uses that password to unlock the login keychain. No exotic keychain-abuse — the user is the mechanism.

Once it’s running: Chromium-family browsers (Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Chromium, Naver Whale) and Firefox, keychain material, roughly 80 crypto-wallet extensions (MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX, Exodus, Keplr, Solflare, Backpack among them), 14 password managers (1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, RoboForm), plus files from ~/Documents and ~/Downloads. Data is AES-GCM-encrypted client-side, ZIPed, and shipped over libcurl to 179.43.166[.]242. Native C++ with control-flow flattening, encrypted strings, and layered anti-debugging on top — not the AppleScript or Objective-C wrapper most macOS stealers ship as.

Here’s what to actually do

  • Get the IOCs from Jamf’s report, not from this writeup. Xhaflaire’s blog carries hashes for the dropper, the veltod binary, and the next- stage payload, plus the C2 IP, the domain, the GitHub URL, and the Developer ID string. That’s the primary source — every downstream summary (this one included) is an abstract on top of it. Feed those into your EDR, DNS, and proxy tooling first, before spending a Wednesday afternoon writing behavioral rules.
  • Block the notarized dropper by team ID. Developer ID WWB7JA7AQV (Emil Grigorov) is on the loose. Apple can revoke it and probably will — Werkbit’s operators can register a new Developer ID for a hundred dollars. Fleet management (Jamf, Kandji, Mosyle, Intune-for-Mac) can block by team identifier ahead of Apple’s revocation and catch the interim window.
  • Alert on ~/Library/LaunchAgents/*.plist writes by non-installer processes. Persistence-as-LaunchAgent is a fifteen-year-old pattern on macOS and is still the single highest-yield detection lane against Mac stealers. If your fleet isn’t emitting an event when a non-Installer, non-vendor-installer process drops a LaunchAgent plist, that’s the first gap to close.
  • Baseline the password prompt. Legitimate Mac apps ask for the login password rarely — installers, keychain unlocks, sudo. A non-Apple application prompting for the login password shortly after first launch, especially one that then immediately tries the keychain, is the specific behavior CrashStealer relies on. It’s also the shape of every future stealer that decides to copy this pattern.
  • Watch /tmp staging by user-space processes. CrashReporter.dmg under /tmp is a fingerprint of this campaign; user-space processes writing disk images or executables into /tmp is a fingerprint of a broader class. The behavioral rule catches both.

Priority

Ingest the Jamf IOCs today — highest-leverage single action for the next 48 hours. Team-ID block for WWB7JA7AQV in fleet management immediately after; the operators will re-notarize under a fresh ID at some point, but the current file will keep landing until they do. LaunchAgent-write and password-prompt telemetry are the layered detections for whichever variant of this shows up next, and both pay for themselves against the whole macOS-stealer class, not just this one.

The honest read: Apple’s notarization pipeline is a filter, not a verdict. Notarization means the binary passed automated malware checks at signing time; it does not mean the binary is safe, and it does not mean the developer ID is trustworthy in perpetuity. Anyone shipping macOS in an environment where “notarized” is the end of the trust question needs to walk that back a step — because the operators of Werkbit already did.

Sourcing

Found this useful? Share it.