Connect with us

CyberSecurity

CrashStealer: New macOS Malware Uses Notarized Dropper to Evade Apple’s Gatekeeper

Published

on

CrashStealer macOS malware

A Stealthy New Player in macOS Threats

Cybersecurity researchers have uncovered a fresh macOS information stealer dubbed CrashStealer. Unlike many of its peers that lean on AppleScript droppers or Objective-C wrappers, this one is built in native C++. That alone makes it stand out — and more dangerous.

According to Jamf Threat Labs, CrashStealer doesn’t just skim data passively. It validates the victim’s login password locally before proceeding. If the password doesn’t match, the malware simply stops. That’s a level of caution rarely seen in commodity stealers.

The big headline? CrashStealer passed Apple’s notarization checks, meaning it briefly wore a badge of trust before being flagged. That’s a sobering reminder that notarization is not a guarantee of safety.

How CrashStealer Bypasses Gatekeeper

Apple’s Gatekeeper is designed to block unsigned or untrusted code from running on macOS. But CrashStealer’s developers got their payload notarized by Apple — a process meant to verify that software is free of known malicious components.

How? The dropper itself appeared clean. It was only the second-stage payload that carried the malicious logic. Once the notarized installer ran, it fetched the real stealer from a remote server, entirely bypassing the initial Gatekeeper scan.

This technique, sometimes called a “notarized dropper,” exploits a gap: Apple checks the outer package but doesn’t re-verify dynamically downloaded code. For attackers, it’s a clean way to get a foothold on a locked-down Mac.

The C++ Advantage

Most macOS malware relies on scripting languages like AppleScript or higher-level wrappers in Objective-C. CrashStealer’s use of native C++ gives it several advantages:

  • Smaller binary size, making it harder to spot via heuristics
  • Lower-level system access, useful for keylogging and credential theft
  • Better evasion of signature-based detection tools

Jamf researchers noted that the malware’s code is lean and avoids common macOS API calls that antivirus engines monitor. That’s a deliberate design choice — and it works.

What Data Does CrashStealer Harvest?

Once active, CrashStealer goes after a broad set of sensitive information. Its targets include:

  • Login passwords and keychain data
  • Browser cookies and saved credentials
  • Cryptocurrency wallet files
  • System information and installed application lists
  • iCloud tokens, if accessible

The stolen data is exfiltrated to a command-and-control server. Researchers haven’t yet confirmed the full scope of victims, but the malware’s design suggests a broad, indiscriminate targeting strategy — not a narrow espionage campaign.

What This Means for Mac Users

For years, Mac users enjoyed a reputation for relative safety compared to Windows. That’s changing. macOS-specific malware like CrashStealer, Mac ransomware, and info-stealers targeting Apple systems are on the rise.

The fact that CrashStealer passed notarization is particularly troubling. It means users who trust Apple’s stamp of approval can still be compromised. The lesson: don’t rely solely on Apple’s security checks. Practice the same caution you would on any other platform.

If you’re a Mac user, consider these steps:

  • Only download software from official developer websites, not third-party mirrors
  • Keep macOS and all apps updated
  • Use a reputable endpoint security tool that monitors for unusual behavior
  • Enable FileVault encryption to protect data at rest
  • Be skeptical of unexpected password prompts — CrashStealer asks for your login password

Detection and Mitigation

Jamf Threat Labs has published indicators of compromise (IoCs) for CrashStealer, including known C2 domains and file hashes. Security teams can use these to scan for infections.

Apple has since revoked the notarization ticket for the malicious dropper, so new installations should now trigger Gatekeeper warnings. But existing infections remain active until cleaned.

For individuals, a full system scan with an updated antivirus tool is the first step. If you suspect compromise, change all passwords from a clean device and enable two-factor authentication wherever possible.

CrashStealer is a wake-up call. macOS notarization is a useful security layer — but it’s not bulletproof. Treat every download with a healthy dose of skepticism, even if Apple gave it a thumbs-up.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

CISA Turns to Anthropic’s Mythos to Hunt for Flaws in Government Software

Published

on

Anthropic Mythos

Inside the CISA-Anthropic Partnership

The US Cybersecurity and Infrastructure Security Agency (CISA) is reportedly deploying a specialized AI tool from Anthropic to probe federal software for vulnerabilities. Sources familiar with the arrangement say the system, called Mythos, is being used by CISA’s Attack Surface Evaluation team — a unit dedicated to simulated hacking and digital defense assessments.

This isn’t some generic chatbot. Mythos is purpose-built for code analysis. It scans source code, configuration files, and even running applications to flag weaknesses that human reviewers might miss. Think of it as a tireless, AI-powered penetration tester that never sleeps.

What Exactly Is Mythos?

Anthropic has kept details about Mythos under wraps. But what’s known is that it’s a large language model (LLM) fine-tuned specifically for cybersecurity tasks. Unlike Anthropic’s consumer-facing Claude chatbot, Mythos is designed to understand software architecture, identify insecure coding patterns, and suggest fixes.

It’s reportedly been in development for months, with CISA providing feedback to sharpen its detection capabilities. The tool can process massive codebases quickly — something that would take a team of human analysts weeks or months to review manually.

How It Differs from Traditional Scanners

Conventional vulnerability scanners rely on known signatures and rule-based checks. They’re good at catching known issues but struggle with novel or context-dependent flaws. Mythos, by contrast, uses reasoning. It can infer that a particular sequence of operations might lead to a security hole, even if no exact pattern exists in its training data.

That’s a significant leap. It means the tool can potentially find zero-day vulnerabilities — bugs that no one has seen before.

Why CISA Needs AI-Powered Scanning

The federal government runs thousands of software applications, many of them decades old. Legacy systems are notoriously fragile. They often contain unpatched vulnerabilities, outdated libraries, and code written before modern security practices became standard.

CISA’s Attack Surface Evaluation team has the unenviable job of stress-testing this sprawling digital infrastructure. They conduct red-team exercises, penetration tests, and code reviews. But the sheer volume of code is overwhelming.

That’s where Mythos comes in. It can triage large codebases, flagging the most promising leads for human analysts to investigate. It doesn’t replace the experts — it makes them faster.

Privacy, Security, and Trust Concerns

Giving an AI system access to government source code raises obvious questions. Who controls the data? Could the model leak sensitive information? What happens if an adversary compromises the tool?

CISA and Anthropic have reportedly built safeguards. The system runs in a secure, air-gapped environment. No code leaves CISA’s control. Anthropic doesn’t get to see the vulnerabilities discovered — only aggregated performance metrics.

Still, the arrangement is likely to draw scrutiny. Critics will ask whether relying on a private company’s AI for government security introduces new risks. Supporters will argue that the status quo — underfunded, overworked human teams — is far riskier.

The Bigger Picture: AI in Government Cybersecurity

CISA isn’t the only agency exploring AI-assisted security. The Department of Defense has experimented with machine learning for threat detection. The NSA uses automated tools to analyze network traffic. But this appears to be one of the first instances of a civilian agency deploying a bespoke LLM for offensive-style security assessments.

If the pilot succeeds, expect more agencies to follow. The technology could eventually be used to scan critical infrastructure — power grids, water systems, transportation networks — for vulnerabilities before attackers find them.

For now, though, the focus is on federal software. And if Mythos proves its worth, it could become a standard tool in CISA’s arsenal. The agency has not officially confirmed the arrangement, but multiple sources have described it to SecurityWeek and other outlets.

One thing is clear: the era of AI-assisted vulnerability hunting has arrived. And the government is leading the charge.

Continue Reading

CyberSecurity

How a Windows Device ID Helped the FBI Trace a Scattered Spider Hacker to a Jewelry Heist

Published

on

Windows device ID

The Digital Trail That Led to an Arrest

Federal prosecutors have linked a suspected member of the notorious Scattered Spider hacking group to a brazen cyberattack on a luxury jewelry retailer — not through a flashy zero-day exploit or a sophisticated piece of malware, but through a persistent Windows device ID. The detail emerged from a newly unsealed complaint filed in U.S. district court.

The ID, a unique identifier tied to a specific Windows machine, allowed investigators to connect the dots between a breach that occurred in May 2025 and a 19-year-old suspect named Peter Stokes. According to the complaint, Microsoft records showed that the same device ID was used to maintain access to the retailer’s network after the initial intrusion.

From there, the trail led to online accounts prosecutors say belong to Stokes. It’s a reminder that in the world of cybercrime, even the most careful attackers can leave behind a breadcrumb that law enforcement can follow.

What Is a Windows Device ID and Why Does It Matter?

A Windows device ID, sometimes called a hardware ID or machine GUID, is a unique string generated by the operating system during installation. It’s not something most users ever see, but it’s embedded deep in the system and persists even after clean reinstallations if the hardware remains the same.

For investigators, that persistence is gold. Unlike IP addresses, which can be masked with VPNs or proxies, or browser fingerprints, which users can clear, a device ID is much harder to spoof. It ties a specific piece of hardware to a specific set of actions, creating a forensic link that’s difficult to break.

In this case, the ID didn’t just show up once. It was used repeatedly during the jewelry retailer intrusion, appearing in logs that tracked the attackers’ movements inside the network. That gave the FBI a stable anchor point to build their case.

The Breach: A Luxury Retailer’s Nightmare

The target was a high-end jewelry chain — the kind of store that sells pieces worth more than most people’s cars. The attackers, allegedly part of the Scattered Spider collective, gained initial access through a combination of social engineering and credential theft. Once inside, they moved laterally, escalated privileges, and planted backdoors to ensure they could return.

But they made a mistake. One of the machines they used to access the network was running a copy of Windows that reported a device ID back to Microsoft’s servers. That ID was later cross-referenced with account creation logs for cloud services, email providers, and even gaming platforms.

Prosecutors say the same ID appeared in records for accounts that Stokes controlled. It wasn’t the only piece of evidence, but it was a crucial one — the kind of technical detail that turns a circumstantial case into a direct one.

Who Is Peter Stokes?

Stokes, 19, is not a household name. But according to the complaint, he was an active participant in the Scattered Spider ecosystem — a loose network of hackers known for targeting large corporations, often through SIM-swapping and phishing. The group has been linked to high-profile breaches at Caesars Entertainment, MGM Resorts, and other major brands.

What sets Stokes apart is his age. At 19, he’s barely out of high school, yet the complaint describes a sophisticated operation involving stolen credentials, remote access tools, and cryptocurrency laundering. The case highlights a troubling trend: the average age of cybercriminals is dropping, and the tools they use are becoming more accessible.

How the FBI Pieced Together the Evidence

The investigation didn’t start with a device ID. It started with a call from the jewelry retailer’s IT team, who noticed unusual activity on their network after hours. The FBI’s cyber division took over, pulling logs from firewalls, servers, and endpoints.

Here’s what they found:

  • A series of login attempts from IP addresses linked to known proxy services.
  • Unusual file transfers during off-hours, including database exports and configuration files.
  • Evidence of a backdoor account created with administrative privileges.

But the real breakthrough came when investigators subpoenaed Microsoft for telemetry data. The Windows device ID appeared in the logs of the machine used to create the backdoor account. That ID was then matched to a Microsoft account that showed the same hardware fingerprint. From there, it was a short jump to email addresses, social media profiles, and finally, to Stokes.

The complaint unsealed this week is just the beginning. Stokes has not yet entered a plea, and his attorney has declined to comment. But the case is already being watched closely by cybersecurity professionals, who see it as a sign that law enforcement is getting better at exploiting the digital exhaust that attackers leave behind.

What This Means for Cybersecurity and Privacy

The use of Windows device IDs in criminal investigations raises questions that go beyond this single case. On one hand, it’s a powerful tool for catching bad actors. On the other, it highlights how much telemetry data flows from our devices to companies like Microsoft — data that can be turned over to law enforcement with a subpoena.

For now, the message is clear: if you’re using a Windows machine to commit a crime, you’re leaving a signature that can follow you. And as forensic techniques improve, that signature is getting harder to erase.

The Scattered Spider case is far from over. But for the FBI, the trail of digital breadcrumbs — starting with a single device ID — has already led to a suspect.

Continue Reading

CyberSecurity

Critical Gitea Flaw Under Active Exploitation: One Header, Full Compromise

Published

on

Gitea flaw exploitation

One Header to Rule Them All: Critical Gitea Bug Lets Attackers Walk Right In

It took just 13 days after the advisory went public for attackers to start exploiting a critical vulnerability in Gitea, the popular self-hosted Git service. The bug, tracked as CVE-2026-20896, carries a CVSS score of 9.8. And the attack vector is almost absurdly simple: a single HTTP header containing a valid username.

No password. No token. Just a header. Sysdig’s senior director of threat research, Michael Clark, confirmed that the company’s sensors caught the first in-the-wild hit less than two weeks after the flaw was disclosed. The attempt was linked to what Clark described as a “VPN-exit scanner that grabbed access.”

This isn’t a theoretical risk. It’s happening now.

What Makes CVE-2026-20896 So Dangerous?

The vulnerability lives in Gitea’s reverse-proxy authentication mechanism — specifically in the official Docker images. Security researcher Ali Mustafa, who discovered the bug, explains that in Gitea Docker images before version 1.26.3, the default configuration allows connections from any source IP address. It doesn’t enforce an allowlist.

Here’s the problem: when reverse-proxy authentication is enabled, Gitea should only trust a header that was set by the proxy itself. But because of this flaw, anyone who can reach the Gitea container’s HTTP port directly — sidestepping the authenticating proxy — can impersonate any user whose login name they know or can guess.

And guess what? Admin accounts are the obvious target. “Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable. Admin accounts are the obvious targets,” Mustafa noted.

The fix, rolled out in Gitea versions 1.26.3 and 1.26.4, makes reverse-proxy authentication an opt-in feature. That’s a smart move — it means the dangerous default is no longer the default.

What Attackers Can Do Once They’re In

The consequences of a successful exploit are severe. Clark laid it out bluntly: a Gitea user can read and write their own repositories, including private ones. That means attackers can access:

  • The code your organization ships to production
  • Secrets developers accidentally committed — API keys, database credentials, deploy tokens
  • CI/CD configuration files
  • Deploy keys that can unlock other systems

In other words, a single header can lead to the complete compromise of everything Gitea holds. Code, secrets, infrastructure access — all up for grabs.

How Many Instances Are Exposed?

Sysdig’s research found roughly 6,200 Gitea instances accessible from the internet. How many of those are running vulnerable versions is unclear. But given that the flaw was only recently patched, and that many organizations are slow to update, the number could be significant.

If you’re running Gitea in a Docker container, now is the time to check your version. The attack surface is real, and the window for patching is closing fast.

What You Should Do Right Now

The advice from researchers is straightforward: update your Gitea deployments immediately. If you’re on a version before 1.26.3, you’re exposed. The patch changes the default behavior so that reverse-proxy authentication must be explicitly enabled, rather than being on by default.

Beyond updating, consider whether you even need reverse-proxy authentication. If you do, make sure your proxy is properly configured to set the trusted header, and that no other process can reach the Gitea container’s HTTP port directly. Network segmentation is your friend here.

This isn’t the first time Gitea has been in the spotlight for security issues. A previous vulnerability exposed roughly 30,000 deployments to attacks. And with critical Adobe ColdFusion vulnerabilities and actively exploited Microsoft SharePoint flaws also making headlines, it’s clear that the threat landscape is crowded. Don’t let your Gitea instance become the weak link.

Patch now. Because one header is all it takes.

Continue Reading

Trending