← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
SHub Stealer v2.0: A Live C2 Serving 103 Wallet Extensions, 23 Desktop Wallets, and a Full AppleScript Source We Downloaded
WHITE PetrP.73 2026-04-26 Modified: 2026-04-26
9
IOCs
LOW VOLUME
SHub Stealer v2.0 is a sophisticated macOS infostealer known for its extensive targeting of cryptocurrency assets, utilizing a two-stage attack via a loader and an AppleScript payload. Active as of April 20, 2026, it employs a command-and-control (C2) server (http://terafolt.com) to deliver its malicious components and displays significant capabilities, including credential harvesting and backdooring of numerous cryptocurrency wallet applications.
threat intelligencemalware analysisc2 infrastructureapt campaignsiocsyara rulesreverse engineeringcybersecurity researchshub stealeraprilioc tableledger livetrezor suitefirefoxdatadogmalwarebytesreportpublic recordfebruaryexoduspersistencetelegramphantomtempleatomicintelligence shubshubapplescript
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (9)
All FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 61cb9c3bd1a2faa7d6613dd8e5d09e79fe95e85ab09ed6bcd6406badff5a083f 2026-04-26
FileHash-SHA256 d91d844ad8920458ee99e707b1a203cba8df76ce960195f0993eb3b0e96d893f 2026-04-26
FileHash-SHA256 eb66a20468f701f2ec5f018a0fd9b8551aefa25124c6a04517b873da9ca724ff 2026-04-26
FileHash-SHA256 ffb79953b8d822a5433f08e1e3958a0c7e9e856749a6d90c83b9e4ef5813a03a 2026-04-26
URL http://terafolt.com/loader.sh 2026-04-26
URL https://terafolt.com/api/bot/heartbeat 2026-04-26
URL https://terafolt.com/gate 2026-04-26
domain res2erch-sl0ut.com 2026-04-26
domain terafolt.com 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/shub-stealer-v2-terafolt-live-c2-103-wallets-applescript-source