Notarized Werkbit.app carries CrashStealer past Gatekeeper
Jamf flagged CrashStealer, a native-C++ macOS infostealer arriving inside Werkbit.app — Apple-notarized and gated behind a meeting PIN.
Jamf Threat Labs’ Thijs Xhaflaire has documented CrashStealer,
a native-C++ macOS infostealer arriving on target machines inside a signed,
Apple-notarized disk image called Werkbit.app. The dropper’s Developer ID
belongs to Emil Grigorov (WWB7JA7AQV), the download domain werkbit[.]io
was registered in late June 2026, and the download itself is gated behind a
meeting PIN — this is a targeted delivery, not a spray. BleepingComputer
picked up the report
the same day.
The reason this matters more than “another Mac stealer”: the dropper walks past Gatekeeper on a valid, current Apple notarization. The trust chain most Mac fleets rely on to say “yes, right-click-open this” is doing what it advertised and clearing this file. CrashStealer isn’t defeating notarization; it is being carried by it.
The mechanics
The Werkbit.app disk image is what the user opens. Both the .dmg and the
binary inside — a helper named veltod — are Apple-notarized under the
Grigorov Developer ID. Once running, veltod reaches a GitHub repo under
github[.]com/mgothiclove and pulls a sys.cache file that contains a curl
command; that curl fetches a shell script, which stages the next payload as
CrashReporter.dmg under /tmp. That’s the “Apple crash reporting tool”
impersonation — the payload borrows the name after Gatekeeper has already
been cleared. Persistence lands as a LaunchAgent, and the payload copies and
re-signs itself to survive.
Before any of that, CrashStealer pops a password prompt and validates the entered password locally, then uses that password to unlock the login keychain. No exotic keychain-abuse — the user is the mechanism.
Once it’s running: Chromium-family browsers (Chrome, Brave, Edge, Opera,
Opera GX, Vivaldi, Chromium, Naver Whale) and Firefox, keychain material,
roughly 80 crypto-wallet extensions (MetaMask, Phantom, Coinbase, Trust
Wallet, Rabby, OKX, Exodus, Keplr, Solflare, Backpack among them), 14
password managers (1Password, Bitwarden, LastPass, Dashlane, Keeper,
KeePassXC, NordPass, Enpass, RoboForm), plus files from ~/Documents and
~/Downloads. Data is AES-GCM-encrypted client-side, ZIPed, and shipped
over libcurl to 179.43.166[.]242. Native C++ with control-flow
flattening, encrypted strings, and layered anti-debugging on top — not the
AppleScript or Objective-C wrapper most macOS stealers ship as.
Here’s what to actually do
- Get the IOCs from Jamf’s report, not from this writeup. Xhaflaire’s
blog carries hashes for the dropper, the
veltodbinary, and the next- stage payload, plus the C2 IP, the domain, the GitHub URL, and the Developer ID string. That’s the primary source — every downstream summary (this one included) is an abstract on top of it. Feed those into your EDR, DNS, and proxy tooling first, before spending a Wednesday afternoon writing behavioral rules. - Block the notarized dropper by team ID. Developer ID
WWB7JA7AQV(Emil Grigorov) is on the loose. Apple can revoke it and probably will — Werkbit’s operators can register a new Developer ID for a hundred dollars. Fleet management (Jamf, Kandji, Mosyle, Intune-for-Mac) can block by team identifier ahead of Apple’s revocation and catch the interim window. - Alert on
~/Library/LaunchAgents/*.plistwrites by non-installer processes. Persistence-as-LaunchAgent is a fifteen-year-old pattern on macOS and is still the single highest-yield detection lane against Mac stealers. If your fleet isn’t emitting an event when a non-Installer, non-vendor-installer process drops a LaunchAgent plist, that’s the first gap to close. - Baseline the password prompt. Legitimate Mac apps ask for the login password rarely — installers, keychain unlocks, sudo. A non-Apple application prompting for the login password shortly after first launch, especially one that then immediately tries the keychain, is the specific behavior CrashStealer relies on. It’s also the shape of every future stealer that decides to copy this pattern.
- Watch
/tmpstaging by user-space processes.CrashReporter.dmgunder/tmpis a fingerprint of this campaign; user-space processes writing disk images or executables into/tmpis a fingerprint of a broader class. The behavioral rule catches both.
Priority
Ingest the Jamf IOCs today — highest-leverage single action for the next 48
hours. Team-ID block for WWB7JA7AQV in fleet management immediately
after; the operators will re-notarize under a fresh ID at some point, but
the current file will keep landing until they do. LaunchAgent-write and
password-prompt telemetry are the layered detections for whichever variant
of this shows up next, and both pay for themselves against the whole
macOS-stealer class, not just this one.
The honest read: Apple’s notarization pipeline is a filter, not a verdict. Notarization means the binary passed automated malware checks at signing time; it does not mean the binary is safe, and it does not mean the developer ID is trustworthy in perpetuity. Anyone shipping macOS in an environment where “notarized” is the end of the trust question needs to walk that back a step — because the operators of Werkbit already did.
Related coverage
- Cisco IOS 12.4 CSRF (CVE-2008-4128) added to KEV — different vendor, same lesson: a valid signature or shipped-product status is not a valid safety statement across an eighteen-year window.
- RedHook Android switches to Wireless ADB — the mobile-side companion for “malware carried by a platform’s own trust primitives.”
Sourcing
- Jamf Threat Labs — CrashStealer analysis by Thijs Xhaflaire (referenced by The Hacker News; IOCs live in the Jamf report).
- The Hacker News — CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks, 2026-07-13.
- BleepingComputer — New CrashStealer malware poses as Apple crash reporting tool, 2026-07-13.
Found this useful? Share it.