The SHub Stealer malware campaign leverages a deceptive website impersonating the legitimate CleanMyMac software to lure macOS users into executing a malicious AppleScript payload. The infection vector involves social engineering where users are convinced to paste a command into the macOS Terminal, which downloads and runs a malicious script hosted on attacker-controlled domains such as cleanmymacos.org and res2erch-sl0ut.com. Once executed, SHub Stealer performs extensive data theft operations targeting stored passwords, browser data, Telegram session information, and critically, cryptocurrency wallets. The malware is capable of modifying wallet applications to extract recovery phrases, enabling attackers to gain full control over victims' crypto assets. It also installs persistent backdoors in certain wallet apps, allowing ongoing unauthorized access. The malware uses AppleScript, a scripting language native to macOS, to evade detection and maintain persistence. Techniques observed include credential dumping, browser data exfiltration, process injection, and command and control communications over HTTP. The campaign reflects a growing trend of macOS-targeted infostealers that exploit user trust and social engineering rather than software vulnerabilities. Indicators of compromise include specific malicious URLs and domains associated with payload delivery and C2 infrastructure. Although no CVE or known exploits in the wild are reported, the malware’s capabilities pose a serious threat to users with cryptocurrency holdings and sensitive personal data on macOS systems.

The SHub Stealer malware can severely compromise the confidentiality and integrity of sensitive user data on macOS systems. By stealing passwords, browser data, Telegram sessions, and especially cryptocurrency wallet information including recovery phrases, it enables attackers to conduct financial theft and identity compromise. The modification and backdooring of wallet applications can lead to persistent unauthorized access and repeated theft of crypto assets. Organizations with employees using macOS devices for cryptocurrency management or sensitive communications risk data breaches and financial losses. The attack requires user interaction, limiting mass exploitation, but targeted users or organizations with lax security awareness are at high risk. The malware’s ability to evade detection through AppleScript and persistence mechanisms complicates incident response and remediation. The overall impact includes potential financial loss, reputational damage, and operational disruption for affected individuals and organizations.

Organizations and users should avoid downloading software from unofficial or suspicious websites, especially for popular utilities like CleanMyMac. Security awareness training should emphasize the risks of executing unverified commands in Terminal and the dangers of social engineering. Deploy endpoint protection solutions capable of detecting malicious AppleScript behavior and monitor for unusual script executions. Implement application whitelisting to restrict execution of unauthorized scripts and binaries. Regularly back up critical data and securely store cryptocurrency wallet recovery phrases offline. Use hardware wallets or multi-factor authentication for crypto assets to reduce risk from software-based theft. Monitor network traffic for connections to known malicious domains such as cleanmymacos.org, res2erch-sl0ut.com, and wallets-gate.io. Incident response plans should include procedures for detecting and removing AppleScript-based malware and remediating compromised wallets. Encourage users to verify software authenticity through official vendor channels and avoid pasting commands from untrusted sources.