MacOS Users Warned of Fake CleanMyMac Site Spreading SHub Stealer Malware Targeting Crypto Wallets

Researchers Uncover macOS Malware Targeting Crypto Wallets via Fake CleanMyMac Site

A sophisticated macOS malware campaign has been discovered, leveraging a fake CleanMyMac website to distribute a malicious infostealer known as SHub Stealer. The malware targets cryptocurrency wallets, stealing sensitive data and installing hidden backdoors in popular wallet applications.

The fake website, hosted at cleanmymacos[.]org, has no affiliation with the legitimate CleanMyMac software or its developer, MacPaw. The site employs a social-engineering technique called ClickFix, which tricks visitors into opening the macOS Terminal and executing a malicious command. The command appears legitimate, printing a fake MacPaw link to create the illusion of authenticity.

SHub Stealer Malware

Once executed, the command installs the SHub Stealer malware, which begins harvesting a wide range of sensitive data, including saved passwords, browser information, Apple Keychain contents, cryptocurrency wallet files, and Telegram session data. The malware transmits identifying details, such as IP address, macOS version, and hostname, to a command-and-control server located at res2erch-sl0ut[.]com.

SHub Stealer belongs to a broader family of AppleScript-based macOS infostealers, which also includes malware strains like MacSync Stealer and Odyssey Stealer. The malware features a geofencing component, checking for Russian-language keyboards and signaling the attacker’s server with a \”cis_blocked\” flag if detected.

Modification of Cryptocurrency Wallet Applications

The malware’s most distinctive feature is its ability to modify installed cryptocurrency wallet applications. SHub Stealer targets five popular desktop applications built using the Electron framework: Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite. The malware silently replaces critical application files with modified versions that continue to function normally while secretly transmitting sensitive data to the attacker.

For Exodus and Atomic Wallet, the malware sends the user’s wallet password and seed phrase to the endpoint wallets-gate[.]io/api/injection each time the wallet is unlocked. For Ledger Wallet and Ledger Live, SHub disables TLS validation at startup and presents a fake recovery interface that prompts the user to enter their seed phrase. The information is then transmitted to the same attacker-controlled endpoint.

Maintenance of Long-term Access

To maintain long-term access to the compromised system, SHub installs a background task disguised as a legitimate Google component. The malware creates a file named com.google.keystone.agent.plist in the directory ~/Library/LaunchAgents/, impersonating Google’s Keystone updater. The task runs every sixty seconds, allowing the attacker to execute remote commands on the infected machine.

Researchers recommend that users who executed the malicious command inspect their systems for the LaunchAgent file and remove suspicious components. Users who had cryptocurrency wallets installed at the time of infection should treat their recovery seed phrases as compromised and transfer funds to a new wallet created on a clean device.