MALWAREBYTES reports a convincing fake CleanMyMac site that installs SHub Stealer on macOS by instructing victims to paste a command into Terminal, after which a shell script is downloaded and executed.
The malware targets credential data and cryptocurrency wallets, harvesting from 14 Chromium-based browsers, 23 wallet apps, and various system data including the macOS Keychain and Telegram sessions, with the collected information uploaded to the C2 server at res2erch-sl0ut[.]com and linked to a build hash for campaign tracking.
It also backdoors five wallet apps—Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite—by replacing core application logic and exfiltrating seeds and passwords through a common endpoint, wallets-gate[.]io/api/injection. A geofencing check looks for a Russian-language keyboard to avoid CIS-region machines, before sending a machine profile to the attacker and continuing if the check passes.
The operation persists via a LaunchAgent disguised as Google’s Keystone updater, periodically executing a hidden script that can receive remote commands, while presenting a fake System Preferences prompt to harvest passwords.