Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Threat Research Knowledge Base Threats ProcessHub Stealer
ProcessHub Stealer
Description
ProcessHub stealer is a relatively new finding attributed to China, and is designed to collect user files including bash history, zsh history, GitHub configuration, SSH information, and the Keychain. It completes these actions in a multi-stage process including the downloading of a script from its command and control server, the collection of user files, and the uploading these files.
Variant Names
N/A
Alternative Names
N/A
Country of origin
- China
Symptoms
You might observe the following artifacts associated with this threat:
- Unfamiliar applications or processes.
- Download and execution of arbitrary scripts.
- Unusual network activity or data usage.
Technical Breakdown
ProcessHub stealer's main goal is to download additional files to execute from the command and control server. It is modular since it is able to execute arbitrary scripts that it downloads. One script that is executes was made public and has the capability of collecting, zipping, and uploading user files to its command and control server.
Some of ProcessHub Stealer's capabilities include:
- Downloading and executing arbitrary scripts.
- Collecting system information.
- Exfiltrating Keychain passwords.
- Exfiltrating Github configuration files.
- Exfiltrating user Terminal command history.
- Exfiltrating user SSH related data.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.
Learn more about it
Dissecting the macOS 'AppleProcessHub' Stealer: Technical Analysis of a Multi-Stage Attack
An in-depth analysis of the 'AppleProcessHub' stealer, detailing its multi-stage attack process, capabilities, and the implications for macOS security.
Read moreRelated
Atomic Stealer (AMOS) is a sophisticated piece of malware that targets Apple users by masquerading as legitimate applications. Once installed, AMOS can exfiltrate extensive data, including keychain passwords, user documents, system information, browser data, credit card information, and cryptocurrency wallets. There is a strong association between Atomic Stealer and Russian-speaking cybercriminal communities.
Cuckoo is an info stealer that typically masquerades as macOS applications such as Homebrew and Google Chrome. Discovered by Kandji in 2024, it has been known to steal passwords, as well as recording audio and video from an infected system.
PasivRobber is a sophisticated macOS surveillance suite discovered in March 2025. It targets applications popular among Chinese users, such as WeChat and QQ, and can exfiltrate sensitive data from various sources, including web browsers, email clients, and system files. The malware employs deceptive naming schemes and a modular architecture, indicating a deep understanding of macOS internals.
Manage and secure your Apple devices at scale.
