Brad2d ago

2026-05-08 (Friday): #macOS #ShubStealer infection

#pcap, malware files, and indicators available at https://malware-traffic-analysis.net/2026/05/08/index.html

Different file hashes and C2 server than the Shub Stealer I saw yesterday, but otherwise pretty much the same.

Hackread.com2d ago

Microsoft researchers warn of a new #ClickFix campaign targeting macOS with fake guides on Medium and Craft to deploy AMOS and SHub Stealer via Terminal commands.

Read: https://hackread.com/fake-macos-troubleshooting-sites-steal-icloud-clickfix/

#CyberSecurity #macOS ##AMOS #SHubStealer #Scam

Fake macOS Troubleshooting Sites Used to Steal iCloud Data in ClickFix Scam

Microsoft researchers warn of a new ClickFix campaign targeting macOS with fake guides on Medium and Craft to deploy AMOS and SHub Stealer via Terminal commands.

Hackread - Cybersecurity News, Data Breaches, AI and More
Brad3d ago

2026-05-07 (Thursday): #macOS #ShubStealer seen from fake GitHub App Installer page at m1solidfiles[.]com

Asks to copy/paste script into terminal window, which caused the following traffic:

"Debug" loader retrieved from:

- hxxps[:]//pwqepqwiriig[.]com/debug/loader.sh?build=10423f9c16ba853a4fd93afc5da0c44c

Script to install Shub Stealer:

- hxxps[:]//pwqepqwiriig[.]com/debug/payload.applescript?build=10423f9c16ba853a4fd93afc5da0c44c

HTTPS POST requests approximately once every minute for Shub Stealer C2 server:

- hxxps[:]//pwqepqwiriig[.]com/api/bot/heartbeat