1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • 'macOS is becoming a more attractive target, and the tools attack

    From TechnologyDaily@1337:1/100 to All on Mon Mar 9 18:45:35 2026
    'macOS is becoming a more attractive target, and the tools attackers use are becoming more capable and more professional': Experts warn 'convincing' fake CleanMyMac installs target Apple users to empty crypto wallets

    Date:
    Mon, 09 Mar 2026 18:35:00 +0000

    Description:
    A fake website, a ClickFix, and an infostealer, are all parts of a highly convincing crypto theft campaign.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter Sign up for
    breaking news, reviews, opinion, top tech deals, and more. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
    now subscribed Your newsletter sign-up was successful An account already exists for this email address, please log in. Subscribe to our newsletter
    Fake CleanMyMac utility spreads SHub infostealer Attack tricks users into pasting terminal commands Malware steals credentials, crypto, and persists
    via backdoor A fake utility program for macOs is tricking users into installing an infostealer malware which exfiltrates passwords, sensitive files, and even money, experts have warned.

    Security researchers Malwarebytes said the program was a part of a wider, highly sophisticated campaign which also included a custom website, reputable brand spoofing, a loader, and the good old ClickFix approach. The researchers said the campaign spoofed CleanMyMac, a legitimate mac optimization program built by MacPaw, creating an almost identical website on the cleanmymacos[DOT]org domain, which makes it easy for people to mistake it for the real one. However, instead of simply downloading and running an
    installer, the victims are asked to open a terminal and paste a command that fetches the payload from a third-party server. Article continues below You
    may like Microsoft warns infostealer malware is 'rapidly expanding beyond traditional Windows-focused campaigns' and targeting Mac devices New MacOS malware exploits trusted AI and search tools Linux users targeted as crypto-stealing malware hits Snap packages - here's how to stay safe Stealing files and establishing persistence Instead of exploiting a vulnerability, it tricks the user into running the malware themselves, Malwarebytes explained. Because the command is executed voluntarily, protections such as Gatekeeper, notarization checks, and XProtect offer little protection once the user
    pastes the command and presses Return.

    The malware being installed this way is called SHub, and during installation, it will ask the victim for their macOS password. Since the entire
    installation process is somewhat unorthodox and could look like something a power user would do, users might dismiss it as standard practice, the researchers explained.

    However, the password actually gives SHub access to the macOS Keychain, Wi-Fi credentials, app tokens, and other private keys.

    With the password in hand, SHub begins a systematic sweep of the machine, the Malwarebytes researchers said. Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news
    and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    After stealing passwords, cookies, autofill data, crypto wallet extensions, iCloud account data, Telegram session files, and other valuables, it drops a stage-two backdoor which replaces some cryptocurrency wallet apps with malicious copies. That way, the malware maintains persistence and even
    enables additional crypto theft down the line.

    Finally, the crooks would install a LaunchAgent by spoofing a Google update service.

    In practice, this gives the attackers the ability to run commands on the infected Mac at any time until the persistence mechanism is discovered and removed, the report concluded. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/macos-is-becoming-a-more-attractive-tar get-and-the-tools-attackers-use-are-becoming-more-capable-and-more-professiona l-convincing-fake-cleanmymac-installs-target-apple-users-to-empty-crypto-walle ts


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)