Sometimes a flawless façade hides total collapse behind it.
Attackers have launched a new campaign against Mac users, disguising their malware as a download for the popular CleanMyMac utility. The attack targets both money and personal data: after infection, they steal passwords, browser contents, crypto wallets, and access to messaging apps, then establish a foothold in the system for further control.
The Malwarebytes Labs team reported the campaign . According to the company, the scammers created a nearly indistinguishable copy of the CleanMyMac website, unaffiliated with the developer of the legitimate MacPaw program. To attract users, the criminals are likely buying ads and targeting those searching for a macOS cleaning utility.
The scheme is based not on a vulnerability, but on social engineering . The user is prompted to open Terminal and enter a command supposedly needed for installation. Once launched, the command silently downloads the SHub stealer from the operators' server. This approach helps bypass macOS's built-in security mechanisms, as the user confirms the launch.
To disguise itself, the script displays a reassuring message about connecting to a MacPaw resource, although the real address is hidden in encrypted form. Once launched, the downloader sends system information and an infection ID to the command and control server. Malwarebytes researchers found the "PAds" tag in the code, which may indicate the use of paid advertising to direct victims to a fake website.
During installation, SHub asks for the user's password. Once accessed, the malware begins collecting data from the macOS Keychain , Chromium-based browsers, and Safari, and searches for crypto wallet extensions. Saved passwords, cookies, autofill data, Wi-Fi keys, app tokens, iCloud accounts, Apple Notes databases, and Telegram session files are at risk.
The attack doesn't stop with data theft. SHub leaves a backdoor in the system , replaces one of the crypto wallet applications with a malicious copy, and installs LaunchAgent under the guise of Google's update service. This mechanism allows operators to execute commands on the infected Mac until traces of persistence are found and removed.
Malwarebytes advises against running commands from the internet without fully understanding their purpose and to download programs only from the App Store or official developer websites. For those who have already executed the command, the company recommends immediately transferring funds to new wallets from a clean device, changing passwords, revoking sensitive tokens, and checking the Mac for rooting mechanisms.
Attackers have launched a new campaign against Mac users, disguising their malware as a download for the popular CleanMyMac utility. The attack targets both money and personal data: after infection, they steal passwords, browser contents, crypto wallets, and access to messaging apps, then establish a foothold in the system for further control.
The Malwarebytes Labs team reported the campaign . According to the company, the scammers created a nearly indistinguishable copy of the CleanMyMac website, unaffiliated with the developer of the legitimate MacPaw program. To attract users, the criminals are likely buying ads and targeting those searching for a macOS cleaning utility.
The scheme is based not on a vulnerability, but on social engineering . The user is prompted to open Terminal and enter a command supposedly needed for installation. Once launched, the command silently downloads the SHub stealer from the operators' server. This approach helps bypass macOS's built-in security mechanisms, as the user confirms the launch.
To disguise itself, the script displays a reassuring message about connecting to a MacPaw resource, although the real address is hidden in encrypted form. Once launched, the downloader sends system information and an infection ID to the command and control server. Malwarebytes researchers found the "PAds" tag in the code, which may indicate the use of paid advertising to direct victims to a fake website.
During installation, SHub asks for the user's password. Once accessed, the malware begins collecting data from the macOS Keychain , Chromium-based browsers, and Safari, and searches for crypto wallet extensions. Saved passwords, cookies, autofill data, Wi-Fi keys, app tokens, iCloud accounts, Apple Notes databases, and Telegram session files are at risk.
The attack doesn't stop with data theft. SHub leaves a backdoor in the system , replaces one of the crypto wallet applications with a malicious copy, and installs LaunchAgent under the guise of Google's update service. This mechanism allows operators to execute commands on the infected Mac until traces of persistence are found and removed.
Malwarebytes advises against running commands from the internet without fully understanding their purpose and to download programs only from the App Store or official developer websites. For those who have already executed the command, the company recommends immediately transferring funds to new wallets from a clean device, changing passwords, revoking sensitive tokens, and checking the Mac for rooting mechanisms.
