{ "type": "Domain", "indicator": "wallets-gate.io", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/wallets-gate.io", "alexa": "http://www.alexa.com/siteinfo/wallets-gate.io", "indicator": "wallets-gate.io", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4249070161, "indicator": "wallets-gate.io", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69ae9dcd62b1927161472bf9", "name": "Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets", "description": "A deceptive website impersonating CleanMyMac tricks users into installing SHub Stealer, a sophisticated macOS malware. The malware steals sensitive data, including passwords, browser data, cryptocurrency wallets, and Telegram sessions. It can also modify wallet apps to steal recovery phrases. The attack begins with users pasting a command into Terminal, which downloads and executes a malicious script. The malware performs extensive data collection from various browsers and wallet applications, and installs persistent backdoors in certain crypto wallet apps. SHub Stealer is part of a growing family of AppleScript-based macOS infostealers, demonstrating increasing sophistication in targeting Mac users.", "modified": "2026-03-09T10:30:19.972000", "created": "2026-03-09T10:15:41.438000", "tags": [ "browser data theft", "clickfix", "applescript", "atomic stealer", "macos", "shub stealer", "macsync stealer", "infostealer", "odyssey stealer" ], "references": [ "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SHub Stealer", "display_name": "SHub Stealer", "target": null }, { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey Stealer", "display_name": "Odyssey Stealer", "target": null }, { "id": "Atomic Stealer", "display_name": "Atomic Stealer", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386538, "modified_text": "83 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b175e015961402a9e5f335", "name": "Valse CleanMyMac-website installeert SHub Stealer en backdoors voor cryptovaluta-wallets | Malwarebytes", "description": "", "modified": "2026-03-11T14:02:08.847000", "created": "2026-03-11T14:02:08.847000", "tags": [ "ledger wallet", "ledger live", "exodus", "atomic wallet", "trezor suite", "shub", "chrome", "cleanmymac", "door", "het script", "terminal", "orion", "phantom", "desktop", "odyssey stealer", "shift", "seed" ], "references": [ "https://www.malwarebytes.com/nl/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 4 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af5054ff2579fdf324c86a", "name": "Fake clean myMac clone by Tr1sa111", "description": "", "modified": "2026-03-11T13:16:51.742000", "created": "2026-03-09T22:57:24.146000", "tags": [ "browser data theft", "clickfix", "applescript", "atomic stealer", "macos", "shub stealer", "macsync stealer", "infostealer", "odyssey stealer" ], "references": [ "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SHub Stealer", "display_name": "SHub Stealer", "target": null }, { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey Stealer", "display_name": "Odyssey Stealer", "target": null }, { "id": "Atomic Stealer", "display_name": "Atomic Stealer", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": "69af46e2aca26f57f198051b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af64c1b2d211fb43d4d899", "name": "Fake CleanMyMac Site Spreads SHub Stealer Targeting Crypto Wallets", "description": "Threat actors were observed targeting cryptocurrency wallets through a\nfake CleanMyMac website distributing SHub Stealer malware. The campaign uses a phishing technique that prompts users to paste a command into the Terminal, which initiates the malware. Once executed, the malware steals browser data such as saved passwords, cookies and autofill information also targets cryptocurrency wallet data.", "modified": "2026-03-10T00:24:33.606000", "created": "2026-03-10T00:24:33.606000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "82 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af46e2aca26f57f198051b", "name": "Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets", "description": "", "modified": "2026-03-09T22:17:06.951000", "created": "2026-03-09T22:17:06.951000", "tags": [ "browser data theft", "clickfix", "applescript", "atomic stealer", "macos", "shub stealer", "macsync stealer", "infostealer", "odyssey stealer" ], "references": [ "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SHub Stealer", "display_name": "SHub Stealer", "target": null }, { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey Stealer", "display_name": "Odyssey Stealer", "target": null }, { "id": "Atomic Stealer", "display_name": "Atomic Stealer", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": "69ae9dcd62b1927161472bf9", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "82 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69addbbca3761d2f309270cd", "name": "Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets", "description": "A deceptive website impersonating the popular Mac utility CleanMyMac has been identified as a conduit for distributing SHub Stealer, a sophisticated piece of macOS malware. This malware is engineered to compromise sensitive user data, specifically targeting saved passwords, browser information, Apple Keychain contents, cryptocurrency wallet data, and even Telegram sessions. Users are tricked into installing the malware by executing a command in the Terminal, which activates SHub Stealer and begins data exfiltration.", "modified": "2026-03-08T20:27:40.442000", "created": "2026-03-08T20:27:40.442000", "tags": [ "shub", "ledger wallet", "ledger live", "exodus", "trezor suite", "atomic wallet", "cleanmymac", "terminal", "app store", "return", "telegram", "malware", "orion", "phantom", "beyond", "april", "odyssey stealer", "shift", "macos", "exodus web3", "exodus\u2019s", "macsync", "applescript", "stefan" ], "references": [ "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SHub Stealer,", "display_name": "SHub Stealer,", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.malwarebytes.com/nl/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets", "IOCs.2026.1.csv", "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Macsync stealer", "Atomic stealer", "Odyssey stealer", "Shub stealer" ], "industries": [] }, "other": { "adversary": [ "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab" ], "malware_families": [ "Shub stealer,", "Macsync stealer", "Odyssey stealer", "Atomic stealer", "Shub stealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69ae9dcd62b1927161472bf9", "name": "Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets", "description": "A deceptive website impersonating CleanMyMac tricks users into installing SHub Stealer, a sophisticated macOS malware. The malware steals sensitive data, including passwords, browser data, cryptocurrency wallets, and Telegram sessions. It can also modify wallet apps to steal recovery phrases. The attack begins with users pasting a command into Terminal, which downloads and executes a malicious script. The malware performs extensive data collection from various browsers and wallet applications, and installs persistent backdoors in certain crypto wallet apps. SHub Stealer is part of a growing family of AppleScript-based macOS infostealers, demonstrating increasing sophistication in targeting Mac users.", "modified": "2026-03-09T10:30:19.972000", "created": "2026-03-09T10:15:41.438000", "tags": [ "browser data theft", "clickfix", "applescript", "atomic stealer", "macos", "shub stealer", "macsync stealer", "infostealer", "odyssey stealer" ], "references": [ "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SHub Stealer", "display_name": "SHub Stealer", "target": null }, { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey Stealer", "display_name": "Odyssey Stealer", "target": null }, { "id": "Atomic Stealer", "display_name": "Atomic Stealer", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386538, "modified_text": "83 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b175e015961402a9e5f335", "name": "Valse CleanMyMac-website installeert SHub Stealer en backdoors voor cryptovaluta-wallets | Malwarebytes", "description": "", "modified": "2026-03-11T14:02:08.847000", "created": "2026-03-11T14:02:08.847000", "tags": [ "ledger wallet", "ledger live", "exodus", "atomic wallet", "trezor suite", "shub", "chrome", "cleanmymac", "door", "het script", "terminal", "orion", "phantom", "desktop", "odyssey stealer", "shift", "seed" ], "references": [ "https://www.malwarebytes.com/nl/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 4 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af5054ff2579fdf324c86a", "name": "Fake clean myMac clone by Tr1sa111", "description": "", "modified": "2026-03-11T13:16:51.742000", "created": "2026-03-09T22:57:24.146000", "tags": [ "browser data theft", "clickfix", "applescript", "atomic stealer", "macos", "shub stealer", "macsync stealer", "infostealer", "odyssey stealer" ], "references": [ "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SHub Stealer", "display_name": "SHub Stealer", "target": null }, { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey Stealer", "display_name": "Odyssey Stealer", "target": null }, { "id": "Atomic Stealer", "display_name": "Atomic Stealer", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": "69af46e2aca26f57f198051b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af64c1b2d211fb43d4d899", "name": "Fake CleanMyMac Site Spreads SHub Stealer Targeting Crypto Wallets", "description": "Threat actors were observed targeting cryptocurrency wallets through a\nfake CleanMyMac website distributing SHub Stealer malware. The campaign uses a phishing technique that prompts users to paste a command into the Terminal, which initiates the malware. Once executed, the malware steals browser data such as saved passwords, cookies and autofill information also targets cryptocurrency wallet data.", "modified": "2026-03-10T00:24:33.606000", "created": "2026-03-10T00:24:33.606000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "82 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af46e2aca26f57f198051b", "name": "Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets", "description": "", "modified": "2026-03-09T22:17:06.951000", "created": "2026-03-09T22:17:06.951000", "tags": [ "browser data theft", "clickfix", "applescript", "atomic stealer", "macos", "shub stealer", "macsync stealer", "infostealer", "odyssey stealer" ], "references": [ "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SHub Stealer", "display_name": "SHub Stealer", "target": null }, { "id": "MacSync Stealer", "display_name": "MacSync Stealer", "target": null }, { "id": "Odyssey Stealer", "display_name": "Odyssey Stealer", "target": null }, { "id": "Atomic Stealer", "display_name": "Atomic Stealer", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": "69ae9dcd62b1927161472bf9", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "82 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69addbbca3761d2f309270cd", "name": "Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets", "description": "A deceptive website impersonating the popular Mac utility CleanMyMac has been identified as a conduit for distributing SHub Stealer, a sophisticated piece of macOS malware. This malware is engineered to compromise sensitive user data, specifically targeting saved passwords, browser information, Apple Keychain contents, cryptocurrency wallet data, and even Telegram sessions. Users are tricked into installing the malware by executing a command in the Terminal, which activates SHub Stealer and begins data exfiltration.", "modified": "2026-03-08T20:27:40.442000", "created": "2026-03-08T20:27:40.442000", "tags": [ "shub", "ledger wallet", "ledger live", "exodus", "trezor suite", "atomic wallet", "cleanmymac", "terminal", "app store", "return", "telegram", "malware", "orion", "phantom", "beyond", "april", "odyssey stealer", "shift", "macos", "exodus web3", "exodus\u2019s", "macsync", "applescript", "stefan" ], "references": [ "https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SHub Stealer,", "display_name": "SHub Stealer,", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "wallets-gate.io", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "wallets-gate.io", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237518.6401818 }