Back to Intelligence

Defending Against CrashStealer macOS Malware and Mobile Surveillance Operations

SA
Security Arsenal Team
July 17, 2026
7 min read

Recent intelligence reveals multiple concerning developments in the threat landscape that require immediate defensive attention. Iranian-aligned threat actors have been actively tracking US military personnel through mobile device surveillance, while a new macOS malware variant dubbed "CrashStealer" has emerged targeting Apple systems. These developments underscore the expanding attack surface against both mobile endpoints and traditionally "harder" platforms like macOS.

For security practitioners, these threats represent a shift toward more sophisticated targeting of both high-value personnel and enterprise macOS environments. This analysis provides defensive measures to detect, prevent, and remediate these threats before they lead to data exfiltration or compromise.

Technical Analysis

CrashStealer macOS Malware

CrashStealer represents a new generation of macOS information stealers designed to harvest sensitive data from compromised endpoints. Based on current intelligence:

  • Affected Platform: macOS (versions currently being analyzed)
  • Functionality: Credential harvesting, keylogging, and data exfiltration
  • Persistence Mechanism: Launch Agents/Launch Daemons manipulation
  • Data Collection Targets: Keychain data, browser credentials, system information
  • Exfiltration Method: Encrypted HTTPS channels to C2 infrastructure

The malware likely achieves persistence through legitimate-looking Launch Agents, a technique increasingly favored by macOS threat actors to maintain access while evading detection.

Iranian Mobile Surveillance Operations

Iranian threat actors are conducting surveillance operations targeting US military personnel through mobile devices:

  • Target Sector: US Military personnel and defense contractors
  • Vector: Mobile device tracking and data collection
  • Technique: Likely exploiting mobile OS vulnerabilities or malicious applications
  • Objective: Location tracking, communications monitoring, and intelligence gathering

These operations represent a significant escalation in mobile espionage tactics and highlight the need for comprehensive mobile threat defense strategies within defense organizations.

Detection & Response

SIGMA Rules

YAML
---
title: Suspicious macOS Launch Agent Creation
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects creation of suspicious Launch Agents which are commonly used for malware persistence on macOS
references:
  - https://attack.mitre.org/techniques/T1543/004/
author: Security Arsenal
date: 2026/04/28
tags:
  - attack.persistence
  - attack.t1543.004
logsource:
  category: file_event
  product: macos
detection:
  selection:
    TargetFilename|contains:
      - '/Library/LaunchAgents/'
      - '/Library/LaunchDaemons/'
      - '~/Library/LaunchAgents/'
  filter:
    Image|contains:
      - '/usr/sbin/installer'
      - '/usr/bin/xcodebuild'
  condition: selection and not filter
falsepositives:
  - Legitimate software installations
level: medium
---
title: macOS Keychain Access by Suspicious Process
id: 2b3c4d5e-6f7g-8h9i-0j1k-2l3m4n5o6p7q
status: experimental
description: Detects processes attempting to access macOS Keychain data, a common behavior for information stealers
references:
  - https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/04/28
tags:
  - attack.credential_access
  - attack.t1055
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    CommandLine|contains:
      - 'security'
      - 'find-generic-password'
      - 'find-internet-password'
  filter:
    Image|contains:
      - '/usr/bin/security'
      - '/Applications/'
  condition: selection and not filter
falsepositives:
  - Legitimate password manager access
level: high
---
title: Suspicious Network Connection from macOS System Process
id: 3c4d5e6f-7g8h-9i0j-1k2l-3m4n5o6p7q8r
status: experimental
description: Detects unusual network connections from processes that shouldn't typically establish external connections
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/04/28
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: macos
detection:
  selection:
    Image|contains:
      - '/Library/LaunchAgents/'
      - '/tmp/'
      - '/private/var/tmp/'
    DestinationPort:
      - 443
      - 8080
      - 8443
  condition: selection
falsepositives:
  - Legitimate software update connections
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious Launch Agent creation on macOS
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("LaunchAgents", "LaunchDaemons")
| where ActionType == "FileCreated"
| where InitiatingProcessFolderPath !contains "/usr/sbin/installer"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc


// Detect potential macOS keychain access by unauthorized processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("find-generic-password", "find-internet-password", "dump-keychain")
| where ProcessVersionInfoOriginalFileName != "security"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious Launch Agents on macOS
SELECT FullPath, Mtime, Size, Mode, User
FROM glob(globs='/*/*/LaunchAgents/*.plist', root='/')
WHERE Mtime > now() - 7*24*60*60

-- Find processes accessing keychain
SELECT Pid, Name, Exe, CommandLine, StartTime
FROM pslist()
WHERE CommandLine =~ 'security' AND CommandLine =~ 'find-'

-- Identify network connections from suspicious paths
SELECT Fd, Family, RemoteAddr, State, Pid, Name
FROM netstat()
WHERE Name =~ '/tmp/' OR Name =~ '/Library/LaunchAgents/'

Remediation Script (Bash for macOS)

Bash / Shell
#!/bin/bash
# macOS CrashStealer Detection and Remediation Script
# Security Arsenal - 2026

# Create log file
LOG_FILE="/var/log/macos_security_scan_$(date +%Y%m%d_%H%M%S).log"
echo "Starting macOS Security Scan at $(date)" | tee -a "$LOG_FILE"

# Function to check and report suspicious Launch Agents
check_launch_agents() {
    echo "Checking for suspicious Launch Agents..." | tee -a "$LOG_FILE"
    
    # Check system Launch Agents
    find /Library/LaunchAgents /Library/LaunchDaemons -name "*.plist" -mtime -7 2>/dev/null | while read file; do
        echo "[!] Recently modified: $file" | tee -a "$LOG_FILE"
        /usr/bin/plutil -p "$file" 2>/dev/null | tee -a "$LOG_FILE"
    done
    
    # Check user Launch Agents
    find /Users/*/Library/LaunchAgents -name "*.plist" -mtime -7 2>/dev/null | while read file; do
        echo "[!] Recently modified: $file" | tee -a "$LOG_FILE"
        /usr/bin/plutil -p "$file" 2>/dev/null | tee -a "$LOG_FILE"
    done
}

# Function to check for processes accessing keychain
check_keychain_access() {
    echo "Checking for suspicious keychain access..." | tee -a "$LOG_FILE"
    
    ps aux | grep -i "security.*find-" | grep -v grep | tee -a "$LOG_FILE"
}

# Function to check for suspicious network connections
check_network_connections() {
    echo "Checking for suspicious network connections..." | tee -a "$LOG_FILE"
    
    lsof -i -P -n | grep -i "established" | grep -v "ESTABLISHED" | tee -a "$LOG_FILE"
}

# Run all checks
check_launch_agents
check_keychain_access
check_network_connections

echo "Scan completed at $(date)" | tee -a "$LOG_FILE"
echo "Log saved to: $LOG_FILE"

Remediation

For CrashStealer macOS Malware

  1. Immediate Isolation:

    • Isolate affected macOS endpoints from the network
    • Preserve memory and disk artifacts for forensic analysis
  2. Malware Removal:

    • Identify and remove malicious Launch Agents (check locations in detection section)
    • Remove any suspicious files dropped by the malware
    • Reboot into Safe Mode for complete removal of persistent components
  3. Credential Reset:

    • Force password resets for all credentials stored on affected systems
    • Invalidate and reissue any potentially compromised certificates
    • Review and rotate API keys stored in macOS keychains
  4. System Hardening:

    • Enable macOS Gatekeeper and ensure it's properly configured
    • Enable XProtect and keep it updated
    • Implement application whitelisting using profiles
    • Configure macOS privacy controls to limit access to sensitive data
  5. Monitoring Enhancements:

    • Deploy EDR solutions with macOS support
    • Configure alerts for Launch Agent creation/modification
    • Monitor for unauthorized keychain access attempts
    • Implement network traffic analysis for suspicious C2 communication

For Iranian Mobile Surveillance

  1. Mobile Device Management (MDM) Enforcement:

    • Ensure all mobile devices are enrolled in corporate MDM
    • Implement strict application whitelisting
    • Disable sideloading of applications
    • Require device encryption at all times
  2. Security Configuration:

    • Enforce strong passcodes and biometric authentication
    • Disable unnecessary location services
    • Configure VPN requirements for accessing corporate resources
    • Enable automatic OS updates
  3. Threat Detection:

    • Deploy mobile threat defense (MTD) solutions
    • Monitor for unusual battery drain or data usage
    • Implement TLS inspection for mobile traffic
    • Set up alerts for jailbreak/root detection
  4. User Awareness:

    • Provide security awareness training focused on mobile threats
    • Establish clear reporting procedures for suspicious activity
    • Educate users on phishing risks via mobile messaging apps
  5. Network Segmentation:

    • Implement Zero Trust access for mobile devices
    • Isolate BYOD devices from sensitive networks
    • Require continuous authentication for accessing sensitive data

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirmacos-malwaremobile-surveillancecrashstealeriranian-aptthreat-intelligence

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.