A fake CleanMyMac website tricks macOS users into pasting a Terminal command that downloads and executes a loader which installs SHub Stealer to harvest passwords, Keychain contents, browser data, cryptocurrency wallets, and Telegram sessions. The malware also backdoors Electron-based wallet apps (Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, Trezor Suite), installs a persistent LaunchAgent that mimics Google Keystone, and exfiltrates data to res2erch-sl0ut[.]com and wallets-gate[.]io #SHubStealer #CleanMyMac
Keypoints
- The phishing site cleanmymacos[.]org impersonates the legitimate CleanMyMac page and instructs users to paste a Terminal command that executes a malicious payload.
- The initial command prints a fake reference, decodes a hidden URL, then downloads and pipes a shell script into zsh for immediate execution (ClickFix delivery).
- A loader performs geofencing (checks for Russian keyboard locale), reports system profile and a unique 32-character build hash to res2erch-sl0ut[.]com, and then retrieves the main AppleScript payload.
- The AppleScript shows a fake System Preferences password prompt to capture the macOS login password, then harvests Keychain, browser profiles (14 Chromium browsers + Firefox), Telegram sessions, wallet folders, Notes, shell histories, and more.
- SHub can silently replace Electron apps’ app.asar (confirmed for Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite), disable TLS or add network allowlist bypasses, and exfiltrate credentials to wallets-gate[.]io/api/injection.
- Persistence is achieved via a LaunchAgent named to mimic Google Keystone (~/Library/LaunchAgents/com.google.keystone.agent.plist) that runs a hidden updater script every 60 seconds to receive remote commands.
MITRE Techniques
- [T1204 ] User Execution – The campaign relies on convincing users to run a Terminal command themselves, bypassing many macOS protections (‘the page instructs them to open Terminal, paste a command, and press Return.’)
- [T1059 ] Command and Scripting Interpreter – Attackers download a shell script and pipe it into zsh, and use AppleScript to automate UI prompts and data collection (‘downloads a shell script from the attacker’s server and pipes it directly into zsh for immediate execution.’ and ‘the main payload: an AppleScript hosted at …/payload.applescript.’)
- [T1547.001 ] Boot or Logon Autostart Execution (Launch Agent) – Persistence is achieved by installing ~/Library/LaunchAgents/com.google.keystone.agent.plist to run every 60 seconds and launch a hidden updater script (‘~/Library/LaunchAgents/com.google.keystone.agent.plist … The task runs every sixty seconds.’)
- [T1071.001 ] Application Layer Protocol: Web Protocols – Collected data and telemetry are uploaded and commands are received via web endpoints on attacker-controlled domains (e.g., res2erch-sl0ut[.]com and wallets-gate[.]io) (‘uploaded to res2erch-sl0ut[.]com/gate’ and ‘wallets-gate[.]io/api/injection’).
- [T1005 ] Data from Local System – The malware systematically collects local files including Keychain, browser profiles, wallet directories, Notes, and Telegram session files for exfiltration (‘captures the macOS Keychain directory, iCloud account data, Safari cookies and browsing data, Apple Notes databases, and Telegram session files’).
- [T1555 ] Credentials from Password Stores – SHub harvests saved passwords from browsers and the macOS Keychain and also prompts the user for the login password with a fake dialog to unlock Keychain contents (‘Required Application Helper. Please enter password for continue.’)
- [T1036 ] Masquerading – The persistence files are named and placed to mimic Google’s Keystone updater to evade detection (‘com.google.keystone.agent.plist … chosen to mimic Google’s legitimate Keystone updater.’)
Indicators of Compromise
- [Domain ] phishing and command/control – cleanmymacos[.]org (phishing site impersonating CleanMyMac), res2erch-sl0ut[.]com (primary C2 and payload delivery), and 1 more domain (wallets-gate[.]io).
- [Domain Endpoint ] data exfiltration and injection endpoints – res2erch-sl0ut[.]com/gate (archive upload/telemetry), wallets-gate[.]io/api/injection (wallet backdoor exfiltration).
- [File / LaunchAgent ] persistence – ~/Library/LaunchAgents/com.google.keystone.agent.plist (LaunchAgent mimicking Google Keystone), ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate (hidden updater script).
- [File Path / Temp ] staging and payloads – /tmp/shub_4823917/ (temporary collection folder example), /debug/payload.applescript (AppleScript payload hosted on C2).
- [Files ] targeted or modified application files – app.asar (modified Electron app core in targeted wallets), and modified wallet applications such as Exodus, Atomic Wallet, Ledger Wallet (names indicate targeted apps rather than file hashes).
- [Local Files ] credential and developer artifacts – .zsh_history, .bash_history (shell histories that may contain API keys), and .gitconfig (may contain tokens or credentials).