Back to Intelligence

CrashStealer macOS Malware: Countering Notarized Dropper Gatekeeper Bypasses

SA
Security Arsenal Team
July 13, 2026
5 min read

The macOS threat landscape has matured significantly, and the emergence of CrashStealer in July 2026 marks a troubling escalation in evasion techniques. Security Arsenal is tracking an active campaign where this information-stealing malware utilizes a notarized dropper to bypass Apple's Gatekeeper protections.

For years, Gatekeeper has served as a critical first line of defense, ensuring that only trusted code runs. By abusing Apple's notarization process—a mechanism designed to verify developer identity—threat actors have effectively compromised the trust model. When a user sees the "Apple checked it for malicious software" prompt, they assume safety. This campaign exploits that trust to deliver CrashStealer, targeting credentials, cookies, and sensitive system data. Defenders can no longer rely on signature validity as a proxy for safety on macOS endpoints.

Technical Analysis

Affected Platform

  • macOS (Versions supporting current notarization requirements, likely Monterey and later).

The Attack Chain

The CrashStealer campaign leverages a multi-stage execution flow designed to slip past static analysis and user scrutiny:

  1. Initial Access: The victim is lured into downloading a DMG or PKG installer, typically masquerading as legitimate productivity software or a utility update.
  2. The Notarized Dropper: The downloaded file contains a dropper component that has been signed with a valid developer certificate and submitted to Apple for notarization. This allows it to pass Gatekeeper checks without user intervention or warnings.
  3. Execution: Upon launch, the signed dropper executes. While the container is trusted, the internal logic performs malicious acts.
  4. Payload Deployment: The dropper retrieves and executes the main CrashStealer payload. This is often done by extracting an embedded binary or fetching a second-stage loader from a remote command-and-control (C2) server.
  5. Data Exfiltration: CrashStealer hooks into browser processes and accesses the macOS Keychain to siphon authentication tokens, passwords, and cryptocurrency wallet data.

Exploitation Status

  • Status: Confirmed active exploitation (Wild).
  • Vector: Social engineering coupled with abused developer infrastructure.

Detection & Response

Detecting notarized malware requires a shift from binary reputation monitoring to behavioral analysis. We must look for "trusted" applications performing "untrusted" actions.

Sigma Rules

YAML
---
title: Potential macOS Dropper Spawning Shell
id: 8a4b2c1d-9e6f-4a3b-8c2d-1e4f5a6b7c8d
status: experimental
description: Detects a signed application running from user directories spawning a shell or interpreter, typical of dropper behavior.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    ParentImage|contains:
      - '/Downloads/'
      - '/Volumes/'
    Image|endswith:
      - '/bin/bash'
      - '/bin/zsh'
      - '/bin/sh'
      - '/usr/bin/osascript'
      - '/usr/bin/python3'
  condition: selection
falsepositives:
  - Legitimate software installers running scripts
level: medium
---
title: Suspicious LaunchAgent Creation by Downloaded Binary
id: 9c5d3e2f-0f7a-4b5c-9d1e-2f5a6b7c8d9e
status: experimental
description: Detects creation of persistence mechanisms in LaunchAgents/LaunchDaemons by a process executed from Downloads.
references:
  - https://attack.mitre.org/techniques/T1543/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.persistence
  - attack.t1543.001
logsource:
  category: file_event
  product: macos
detection:
  selection:
    TargetFilename|contains:
      - '/Library/LaunchAgents/'
      - '/Library/LaunchDaemons/'
      - '~/Library/LaunchAgents/'
    Image|contains:
      - '/Downloads/'
      - '/Volumes/'
  condition: selection
falsepositives:
  - Authorized software installations
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for processes initiated from Downloads/Volumes that establish network connections
DeviceProcessEvents  
| where Timestamp > ago(7d)  
| where OSPlatform == "MacOS"  
| where InitiatingProcessFolderPath contains "/Downloads/" or InitiatingProcessFolderPath contains "/Volumes/"  
| where ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "ssh"  
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessFolderPath  
| extend MD5 = hash(InitiatingProcessFileName) // Placeholder for deep analysis
| sort by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for unsigned binaries spawned by signed parent processes (Dropper behavior)
SELECT Parent.Name AS ParentName, Parent.Exe AS ParentExe, 
       Pid, Name, Exe, CommandLine, Username, Signed
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = PPid
WHERE Parent.Signed = TRUE 
  AND Signed = FALSE 
  AND (Exe =~ '/private/var/folders/' OR Exe =~ '/tmp/')
-- Droppers often drop payload to temp or var folders

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Security Arsenal - CrashStealer Response Script
# Validates Gatekeeper status and checks for common persistence locations

echo "[*] Checking Gatekeeper Status..."
if spctl --status | grep -q "assessments enabled"; then
    echo "[+] Gatekeeper is ENABLED."
else
    echo "[!] WARNING: Gatekeeper is DISABLED. Enable with: sudo spctl --master-enable"
fi

echo "[*] Checking for Suspicious LaunchAgents (Last 24h)..."
find ~/Library/LaunchAgents /Library/LaunchAgents /Library/LaunchDaemons -iname "*.plist" -mtime -1 -ls 2>/dev/null

echo "[*] Analyzing recent Downloads for executables..."
# List apps and binaries in Downloads modified in last 2 days
find ~/Downloads -type f -perm +111 -mtime -2 2>/dev/null

echo "[*] Done. Review the output above for anomalies."

Remediation

  1. Isolate the Host: Immediately disconnect the infected macOS endpoint from the network to prevent C2 communication and further lateral movement.
  2. Kill the Process: Terminate the dropper and the CrashStealer payload processes. Use Activity Monitor or CLI: sudo pkill -f <process_name>.
  3. Remove Artifacts:
    • Delete the initially downloaded DMG/PGK file.
    • Remove the installed application bundle.
    • Delete any malicious LaunchAgents or LaunchDaemons identified during the investigation.
  4. Reset Credentials: Assume all credentials (cookies, saved passwords, keychain items) accessed during the infection window are compromised. Force a password reset and revoke session tokens for critical applications.
  5. Rebuild vs. Clean: Given the sophistication of CrashStealer and its potential to install deep persistence, Security Arsenal recommends reimaging the endpoint for high-risk users or sensitive environments.
  6. User Education: Brief the affected user on the risks of downloading software from unverified sources, even if it appears "signed" or "notarized." Emphasize verifying the source URL.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemmacoscrashstealergatekeeperinfo-stealerthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.