Ddos 
Mac users are the target of a convincing new “brand impersonation” campaign that turns the popular utility CleanMyMac into a lure for devastating data theft. A malicious website—cleanmymacos[.]org—has been discovered mimicking the legitimate product page to trick visitors into manually installing a potent new strain of malware known as SHub Stealer.
Unlike traditional malware that relies on software vulnerabilities, this campaign uses a social engineering technique called ClickFix. The site presents users with what looks like an “Official Silent Install” option, instructing them to copy and paste a command directly into their Mac’s Terminal.
By doing so, the user inadvertently bypasses macOS’s built-in protections like Gatekeeper and XProtect. As the report warns: “Legitimate apps almost never require you to paste commands into Terminal to install them. If a website tells you to do this, treat it as a major red flag”.
Once the command is executed, a multi-stage attack begins:
- The malware first checks for a Russian-language keyboard. If found, it exits immediately to avoid attracting attention from law enforcement in CIS countries.
- The loader downloads an AppleScript payload that triggers a fake system prompt. The window mimics “System Preferences” and asks for a password to “continue”.
- If the user complies, the malware gains the “master key” needed to unlock the macOS Keychain, exposing saved Wi-Fi credentials, app tokens, and private keys.
With the system password in hand, SHub Stealer performs a “systematic sweep” of the machine. The targeting is extensive:
- Browsers: It steals saved passwords, cookies, and autofill data from 14 Chromium-based browsers and Firefox.
- Crypto Wallets: The malware scans for 102 different browser extensions and 23 desktop wallet applications, including MetaMask, Exodus, and Ledger Live.
- Developer Assets: It even copies .zsh_history and .gitconfig files, which often contain sensitive API keys
What sets SHub Stealer apart is its ability to keep stealing long after the initial infection. If it finds certain wallet apps like Exodus, Atomic Wallet, or Trezor Suite, it silently replaces their core logic files with backdoored versions. These modified apps are designed to “silently send the user’s password and seed phrase” to the attacker every time the wallet is unlocked.
To ensure it survives a reboot, SHub installs a background task disguised as a Google update service. This gives attackers “the ability to run commands on the infected Mac at any time” until the persistence mechanism is removed.
To stay safe, always download software exclusively from the official developer’s website or the Mac App Store.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
