{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets", "protected": false, "publish_timestamp": "1773997287", "published": true, "threat_level_id": "3", "timestamp": "1773997287", "uuid": "20a41e2b-1350-4c01-85f4-40c7abb895d7", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0cb256", "local": false, "name": "misp-galaxy:producer=\"Malwarebytes\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#4985d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#aa1f95", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#89bea3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"AppleScript - T1059.002\"", "relationship_type": "" }, { "colour": "#3bc6ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing - T1553.002\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054016", "to_ids": false, "type": "link", "uuid": "8b8cc09e-dd87-4871-8f93-f1f91e2748d0", "value": "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773054016", "to_ids": false, "type": "text", "uuid": "3bb3cba9-a380-4bae-8ea1-b1d1eeb03a66", "value": "A deceptive website impersonating CleanMyMac tricks users into installing SHub Stealer, a sophisticated macOS malware. The malware steals sensitive data, including passwords, browser data, cryptocurrency wallets, and Telegram sessions. It can also modify wallet apps to steal recovery phrases. The attack begins with users pasting a command into Terminal, which downloads and executes a malicious script. The malware performs extensive data collection from various browsers and wallet applications, and installs persistent backdoors in certain crypto wallet apps. SHub Stealer is part of a growing family of AppleScript-based macOS infostealers, demonstrating increasing sophistication in targeting Mac users." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773054016", "to_ids": false, "type": "text", "uuid": "3a1c9cd7-4616-48c5-a743-c6cc69d4df06", "value": "Name: Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets\nAuthor: AlienVault\nAdversary: \nTags: [\"browser data theft\", \"clickfix\", \"applescript\", \"atomic stealer\", \"macos\", \"shub stealer\", \"macsync stealer\", \"infostealer\", \"odyssey stealer\"]\nTgtd countries: []\nMlwr families: [\"SHub Stealer\", \"MacSync Stealer\", \"Odyssey Stealer\", \"Atomic Stealer\"]\nAttack_ids: [\"T1132.001\", \"T1036.004\", \"T1071.001\", \"T1087\", \"T1547\", \"T1056.001\", \"T1074\", \"T1005\", \"T1102.002\", \"T1041\", \"T1059.002\", \"T1553.002\", \"T1555\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276861", "to_ids": true, "type": "url", "uuid": "2ff51c86-80b9-4608-9e24-04cb4c308db8", "value": "http://res2erch-sl0ut.com/debug/payload.applescript", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276883", "to_ids": true, "type": "url", "uuid": "7159eb35-3346-463b-a0b9-23a5e74814f5", "value": "http://res2erch-sl0ut.com/gate", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276905", "to_ids": true, "type": "url", "uuid": "6eb6789b-afc3-4230-8b29-2d13a552ca6d", "value": "http://wallets-gate.io/api/injection", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "phishing site impersonating CleanMyMac", "deleted": false, "disable_correlation": false, "timestamp": "1773276926", "to_ids": true, "type": "domain", "uuid": "e7702578-407a-466c-8a0f-810725ceecad", "value": "cleanmymacos.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "primary command-and-control server (loader delivery, telemetry, data exfiltration)", "deleted": false, "disable_correlation": false, "timestamp": "1773276948", "to_ids": true, "type": "domain", "uuid": "821a8cd7-c5f0-47b0-a4da-deb381c5ad59", "value": "res2erch-sl0ut.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "secondary C2 used by wallet backdoors to exfiltrate seed phrases and passwords", "deleted": false, "disable_correlation": false, "timestamp": "1773276969", "to_ids": true, "type": "domain", "uuid": "7ad568a1-03c6-4d6d-a590-eff123cf288a", "value": "wallets-gate.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }