SHub Reaper macOS Stealer Spoofs Apple, Google, and Microsoft in Multi-Stage Attack Chain
SentinelOne has uncovered a new variant of the SHub Stealer, dubbed 'Reaper,' targeting macOS with a multi-stage infection chain that spoofs Microsoft, Apple, and Google at different stages.
SentinelOne has detailed a new variant of the SHub Stealer, dubbed 'Reaper,' targeting macOS users with a sophisticated multi-stage infection chain that spoofs Microsoft, Apple, and Google at different stages. The malware uses fake WeChat and Miro installers as lures, but its standout feature is the way it shifts its disguise at each stage: payloads are hosted on a typo-squatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory.
Reaper is deployed via a multi-stage execution chain that bypasses Terminal entirely, sidestepping Apple's Tahoe 26.4 mitigation for ClickFix attacks. It leverages the applescript:// URL scheme to launch macOS Script Editor pre-populated with malicious AppleScript. The HTML source dynamically constructs the script, padding it with ASCII art and fake terms so the malicious command is pushed below the visible portion of the window. When the victim clicks 'Run,' the script prints a fake update message referencing Apple's XProtectRemediator tool while silently decoding and executing a curl command to fetch the initial shell script stub.
The script stub checks the victim's locale settings to avoid infecting systems in the CIS region (Commonwealth of Independent States) by querying for Russian input sources. If detected, it sends a 'cis_blocked' telemetry event to the C2 server and exits. Otherwise, it retrieves an AppleScript containing the core exfiltration logic and executes it without touching the local disk via osascript.
Before invoking the AppleScript payload, the fake installer websites profile the visitor and apply several anti-analysis techniques. JavaScript on the pages collects system and browser information including IP address, location, WebGL fingerprinting data, and indicators of virtual machines or VPNs. The scripts also enumerate installed browser extensions, specifically looking for password managers like 1Password, Bitwarden, and LastPass, as well as cryptocurrency wallets such as MetaMask and Phantom. The collected telemetry is sent to the operators via a hardcoded Telegram bot.
The pages also interfere with analysis by overriding console functions, intercepting developer keystrokes such as F12, and running a continuous debugger loop to stall analysis. If a researcher opens DevTools, the browser will constantly pause execution. A separate event listener overwrites the page content with a Russian 'Access Denied' message if DevTools are detected.
Once the user clicks 'Run' in Script Editor, the hidden command retrieves the remote AppleScript and executes it. The user is asked to supply their login password, which is scraped and used to decrypt various credentials, before being presented with a misleading error message. Reaper retains the core behavior of earlier SHub builds, targeting data from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion, as well as browser extensions and desktop wallet applications including Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite.
In addition, the Reaper build includes a Filegrabber routine resembling the document-theft functionality seen in Atomic macOS Stealer (AMOS). The Filegrabber handler searches the user's Desktop and Documents folders for files likely to contain business or personal information, uploading them in chunks to the C2 server. This new capability significantly expands the malware's data theft potential beyond credentials and cryptocurrency.
SentinelOne provides indicators of compromise to aid defenders. The discovery highlights the continued evolution of macOS infostealers, with threat actors iterating on successful techniques and incorporating multiple layers of deception to evade detection. Organizations should educate users about the risks of downloading software from untrusted sources and implement endpoint detection and response solutions to identify such threats.
BleepingComputer's report adds that the malicious domains used in the campaign—impersonating WeChat and Miro—are still active, with the fake QQ and Microsoft domains continuing to serve the malicious installer while the Miro-impersonating domain now redirects to the legitimate site. The article also notes that download buttons for Windows and Android on these sites serve the same executable hosted inexecutable hosted in a Dropbox account, and that before invoking the AppleScript, the websites fingerprint the visitor's device for virtual machines, VPNs, and installed browser extensions for password managers and cryptocurrency wallets, with all telemetry sent to the attacker via a Telegram bot.
The Register's report adds that Reaper's persistence mechanism mimics Google Software Update by creating a LaunchAgent that executes a beacon script every 60 seconds, sending system details to the C2's /api/bot/heartbeat endpoint. The backdoor also allows remote code execution by decoding and running payloads sent from the attacker-controlled server, then deleting the file. SentinelOne researcher Phil Stokes notes this gives operators more ways to steal data or pivot to other malicious installs after initial compromise.
SentinelOne’s report details that Reaper’s initial access now uses the `applescript://` URL scheme to launch macOS Script Editor with a malicious payload pre-loaded, bypassing Apple’s Tahoe 26.4 mitigations against conventional ClickFix attacks. Once executed, the multi-stage chain establishes persistence by placing a bash script in a fake `~/Library/Application Support/Google/GoogleUpdate.app/` directory and registering it as a LaunchAgent, enabling the attackers to execute arbitrary commands on a 60-second polling loop. The malware also adds a Filegrabber module that culls business and financial files from Desktop and Documents folders (up to 150MB) and can replace legitimate cryptocurrency wallet binaries — including Exodus, Ledger Live, and Trezor Suite — with modified versions retrieved from its C2 server.
The Dark Reading report adds that SHub Reaper uses a multistage social engineering chain that spoofs Microsoft, Apple, and Google at different stages, with the payload hosted on a typosquatted Microsoft domain, executed under the guise of an Apple security update, and persisting from a fake Google Software Update directory. SentinelOne notes that the malware's use of the applescript:// URL scheme to bypass Apple's Tahoe 26.4 mitigations marks a shift away from ClickFix tactics, and recommends monitoring for unexpected Script Editor invocations and browser-to-AppleScript execution chains.