SHub Stealer v2.0

The entered password is validated locally using dscl . -authonly against the current username. If the password is incorrect, the dialog re-appears — up to 10 retry attempts.

Persistence: The stealer calls https://terafolt[.]com/api/bot/heartbeat to register the compromised host and poll for follow-up commands.

Execution: Pipes the downloaded AppleScript directly to osascript, the macOS AppleScript interpreter, achieving fileless execution in the second stage.

The loader is a 589-byte shell script compressed with gzip and encoded in Base64.

“…leveraging the ClickFix initial access technique to social-engineer victims into installing infostealers.” / “how fake captcha can lead to a company-wide infection”

Electron-based wallet apps load their core logic from app.asar, so replacing it allows the attacker to inject persistent code that executes every time the wallet is opened.

The entered password is validated locally using dscl . -authonly against the current username. If the password is incorrect, the dialog re-appears — up to 10 retry attempts.

A distinctive capability: for Exodus, Atomic Wallet, Ledger Live, and Trezor Suite, the stealer replaces the application's app.asar file with a trojanized version.

The entered password is validated locally using dscl . -authonly against the current username. If the password is incorrect, the dialog re-appears — up to 10 retry attempts.

The loader is a 589-byte shell script compressed with gzip and encoded in Base64.

for Exodus, Atomic Wallet, Ledger Live, and Trezor Suite, the stealer replaces the application's app.asar file with a trojanized version. | The stealer displays a fake System Preferences dialog box prompting the user to enter their macOS password.

The entered password is validated locally using dscl . -authonly against the current username. If the password is incorrect, the dialog re-appears — up to 10 retry attempts.

Electron-based wallet apps load their core logic from app.asar, so replacing it allows the attacker to inject persistent code that executes every time the wallet is opened.

A distinctive capability: for Exodus, Atomic Wallet, Ledger Live, and Trezor Suite, the stealer replaces the application's app.asar file with a trojanized version.

The stealer displays a fake System Preferences dialog box prompting the user to enter their macOS password.

For each Chromium browser, the stealer extracts Login Data, Cookies, Web Data... Firefox profile directories are enumerated for ... cookies.sqlite

For each Chromium browser, the stealer extracts Login Data, Cookies, Web Data (autofill and credit cards), and Local State (for encryption key extraction). Firefox profile directories are enumerated for logins.json, cookies.sqlite, and key4.db.

macOS Keychain Dumps keychain entries using harvested password

For each Chromium browser, the stealer extracts Login Data, Cookies, Web Data (autofill and credit cards), and Local State... Firefox profile directories are enumerated for logins.json, cookies.sqlite, and key4.db.

A distinctive capability: for Exodus, Atomic Wallet, Ledger Live, and Trezor Suite, the stealer replaces the application's app.asar file with a trojanized version.

The entered password is validated locally using dscl . -authonly against the current username. If the password is incorrect, the dialog re-appears — up to 10 retry attempts.

CIS Geofencing: Checks the active keyboard input source. If a Russian layout is detected, execution terminates immediately.

Beyond crypto, it harvests macOS Keychain data, iCloud credentials, Safari and Firefox data, Apple Notes, Telegram sessions, and shell history.

The stealer displays a fake System Preferences dialog box prompting the user to enter their macOS password.

All collected data is packaged and sent as a multipart POST request to https://terafolt[.]com/gate.

Gate URL https://terafolt[.]com/gate Heartbeat https://terafolt[.]com/api/bot/heartbeat

Gate URL https://terafolt[.]com/gate Heartbeat https://terafolt[.]com/api/bot/heartbeat

Payload Retrieval: Downloads the AppleScript payload from the same terafolt[.]com C2 server.

Exfiltration: All collected data is packaged and sent as a multipart POST request to https://terafolt[.]com/gate.

All collected data is packaged and sent as a multipart POST request to https://terafolt[.]com/gate.