Threat actors are impersonating the popular macOS utility CleanMyMac to distribute SHub Stealer, using the lookalike domain cleanmymacos[.]org to lure users into executing malware. The campaign uses the ClickFix technique, which socially engineers victims into opening Terminal and pasting a command that appears legitimate but ultimately downloads and runs a malicious script; because the user initiates execution, common macOS protections such as Gatekeeper, XProtect, and notarization checks may be bypassed.
Post-infection, SHub Stealer targets high-value data including saved credentials, cookies and autofill data from Safari and numerous Chromium-based browsers, Apple/iCloud artifacts (including Keychain-related data), Telegram session files, Apple Notes data, and a wide range of cryptocurrency wallet extensions. Reporting attributes additional capabilities to SHub beyond basic credential theft, including per-victim tracking, geofencing logic that exits when a Russian-language keyboard is detected (a common CIS-avoidance behavior), and persistence mechanisms such as replacing a crypto wallet app with a trojanized copy and installing a Google Update service–spoofing LaunchAgent to maintain long-term access.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Malwarebytes' analysis revealed that SHub Stealer steals browser credentials, cookies, autofill data, Keychain and iCloud-related data, Telegram session files, Apple Notes data, and cryptocurrency wallet information. The report also described geofencing and CIS-avoidance checks, C2 communications, persistence via a fake Google Keystone LaunchAgent, and trojanization of wallet applications such as Exodus, Atomic Wallet, Ledger Live, and Trezor Suite.
Threat actors set up the spoofed domain cleanmymacos[.]org to impersonate the CleanMyMac utility site and deliver the SHub Stealer macOS malware to visitors. The campaign used a ClickFix-style social engineering lure to convince users to open Terminal and execute a malicious command themselves.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.