A detailed reverse-engineering analysis of SHub Stealer, a macOS info-stealer distributed via a phishing page impersonating GitHub Desktop. The attack uses a multi-stage dropper: a Base64-obfuscated curl command pipes a gzip-compressed loader script into zsh, which then fetches and executes an AppleScript payload. The malware performs CIS geofencing (exits if Russian keyboard layout detected), collects system telemetry, steals credentials from 14 Chromium browsers, ~100 crypto wallet extensions, Firefox, 25 desktop wallets, Telegram sessions, macOS Keychains, and iCloud tokens. Most critically, it injects malicious app.asar files into Exodus, Atomic Wallet, Ledger Live, and Trezor Suite — persisting even after malware removal. A LaunchAgent disguised as Google Keystone provides persistent RCE every 60 seconds. Indicators of Compromise and remediation commands are provided.
Table of contents
👋 If you find this helpful, please click the clap 👏 button below a few times to show your support for the author 👇🚀 Join FAUN.dev() & get similar stories in your inbox each week for free!Sort: