Fake CleanMyMac Website Spreads SHub Stealer Through ClickFix Terminal Trick (3 minute read)
A fraudulent CleanMyMac site uses a ClickFix-style social engineering technique to trick macOS users into pasting a malicious Terminal command that silently installs SHub Stealer, bypassing Gatekeeper entirely. The stealer harvests macOS Keychain credentials via a fake system authentication prompt, targets Exodus, Atomic Wallet, Ledger Live, and Trezor Suite for seed-phrase extraction, and persists via a LaunchAgent disguised as a Google software updater that runs every minute. Russian-language keyboard layouts trigger immediate self-termination, a common indicator of Russian-nexus cybercriminal origin.