216.73.217.139

Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets

· Published 09/03/2026 10:15 · Modified 09/03/2026 10:30

Export JSON

Essential information

Published
09/03/2026 10:15
Modified
09/03/2026 10:30
Tags
2026-03-09 applescript atomic stealer browser data theft clickfix infostealer macos macsync stealer odyssey stealer shub stealer
Related entities
3 observables, 8 techniques (mitre), 4 malware, 3 others

Description

A deceptive website impersonating CleanMyMac tricks users into installing , a sophisticated malware. The malware steals sensitive data, including passwords, browser data, cryptocurrency wallets, and Telegram sessions. It can also modify wallet apps to steal recovery phrases. The attack begins with users pasting a command into Terminal, which downloads and executes a malicious script. The malware performs extensive data collection from various browsers and wallet applications, and installs persistent backdoors in certain crypto wallet apps. is part of a growing family of -based infostealers, demonstrating increasing sophistication in targeting Mac users.

External references