Security researchers have uncovered a new macOS infostealer that slips past defenses by pretending to be routine Apple security software. Called SHub Reaper, the malware represents the latest evolution in a two-year campaign built around the SHub Stealer family. It no longer relies on crude fake installers or obvious Terminal tricks. Instead it weaves itself into familiar system processes. And it does so with striking precision.
The discovery comes at a moment when macOS threats have accelerated. Reports from the past several months show infostealers expanding from Windows roots into Apple systems. Microsoft detailed how such campaigns now use social engineering and native tool abuse across platforms. Microsoft’s analysis from early May traces similar ClickFix-style tactics that Reaper builds upon. The pattern is clear. Attackers study Apple’s latest protections and adjust quickly.
Reaper starts its work on malicious websites that quietly profile visitors. These pages gather system details, WebGL fingerprints, VPN usage signs, browser extensions and hints of virtual machines or analysis environments. They scan for installed password managers such as 1Password, Bitwarden and LastPass. Crypto wallet extensions like MetaMask and Phantom draw special interest. Anti-analysis tricks follow. The sites interfere with developer tools, capture F12 keystrokes and trigger endless debugger loops. Some even switch to a Russian “Access Denied” page once they smell trouble.
Once a target engages, the delivery shifts to the applescript:// URL scheme. This opens Apple’s Script Editor and prompts the user to click Run. Here the deception sharpens. A fake XProtectRemediator security update window appears. Behind it the malicious AppleScript executes. Attackers pad the script with fake installer text and ASCII art. The dangerous commands stay hidden below the visible edge of the window. Victims see what looks like a normal Apple process. They rarely suspect anything.
But the theft runs deep. Reaper targets browsers including Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc and Orion. It grabs data from crypto wallets such as Exodus, Atomic Wallet, Ledger Live, Electrum and Trezor Suite. macOS Keychain entries, Telegram sessions, browser extensions and developer files all fall into its net. An AMOS-style document stealer adds another layer. It combs Desktop and Documents folders for Word files, spreadsheets, JSON data, wallet backups and remote desktop configurations. Files larger than certain thresholds are skipped. PNG images over 6 MB stay behind. The total haul caps at 150 MB before compression and chunked upload to command-and-control servers.
Wallet applications face direct sabotage. The malware kills active wallet processes, swaps their internal app.asar resources with attacker-controlled versions, removes quarantine attributes and applies ad hoc code signing. The modified apps keep running. Funds can vanish later. After data collection the victim sees a fake compatibility error. Suspicion fades. The password prompt that appeared earlier has already delivered admin credentials.
Persistence marks Reaper’s biggest advance over prior SHub variants. The malware drops a LaunchAgent disguised inside a fake GoogleUpdate.app bundle. It registers as com.google.keystone.agent.plist. This mimics Google’s legitimate Keystone update service and runs every 60 seconds. From there remote servers feed new commands, execute additional payloads under the current user and clean up temporary files. What began as a one-time theft now becomes a lasting foothold. Future modules or remote access become possible.
SentinelOne first detailed these tactics in its report on the campaign. The firm noted how Reaper expands on earlier SHub methods that used fake installers and ClickFix social engineering. Those older attacks pushed victims to paste commands into Terminal. Apple responded in macOS Tahoe 26.4 with new warnings for suspicious paste operations. Reaper sidesteps that by routing through Script Editor. Different stages rotate disguises. Early lures mimic WeChat or Miro installers from typo-squatted domains that resemble Microsoft infrastructure. Later stages pose as Apple updates. Persistence hides in Google-branded directories. The malware borrows trust from three major technology brands in one chain.
This approach exploits how users and security tools perceive normal activity. AppleScript and shell scripts blend into everyday macOS behavior. Traditional file-based scanning like XProtect struggles to flag them. Monitoring for unusual osascript processes, unexpected LaunchAgents or Script Editor network traffic offers better signals. Yet many organizations and home users lack such visibility. The result is a stealthier threat that scales.
Broader industry data supports the trend. Jamf’s Security 360 report for 2026 shows Trojan detections on Macs jumping sharply. Infostealers now dominate many threat lists. Related families such as Atomic Stealer, also known as AMOS, DigitStealer and MacSync continue to evolve. A 9to5Mac report from April described additional undetected macOS samples that evade major antivirus engines. The shift toward Go, Rust and modular designs makes cross-platform operation easier. Attackers no longer treat macOS as an afterthought.
Microsoft has warned repeatedly about this expansion. Its February analysis highlighted campaigns delivering DigitStealer, MacSync and AMOS through malvertising, fake DMGs and ClickFix prompts. The firm urged monitoring for suspicious Terminal flows involving curl, Base64 decoding, osascript or JavaScript for Automation. Reaper fits neatly into that pattern while adding its own refinements. The malware’s use of fingerprinting and anti-analysis shows growing operational maturity.
Apple itself has tightened controls. Gatekeeper, notarization requirements and the Tahoe 26.4 Terminal warnings all aim to raise the bar. Yet social engineering remains the weak point. Users still click Run in Script Editor when prompted by what looks like an urgent security update. They enter passwords when asked. Fake error messages reassure them. The human element gives these campaigns their reach.
Experts advise sticking to official download sources. Avoid unsolicited links, ad-driven installer pages and claims that a manual security fix requires opening Script Editor. Check URLs carefully. Watch for unexpected password prompts paired with vague errors. Advanced users can review LaunchAgents in their Library folders and monitor for suspicious AppleScript activity. Simple habits still matter most.
Reaper does not rewrite the rules of macOS security. It exploits existing gaps with care and patience. Its success signals that threat actors now invest time studying Apple’s updates and user workflows. They test anti-analysis measures. They refine persistence. They rotate brands to stay under the radar. The days when macOS malware meant obvious Trojans appear to be fading. A more calculated, script-driven style is taking hold.
Security teams and individual users face a choice. They can treat every unexpected update prompt as suspect. Or they can hope their defenses catch what file scanners miss. The evidence from recent months suggests the first option carries less risk. Because once Reaper or its successors gain persistence, the data they seek is already on its way out the door.
from WebProNews https://ift.tt/cRiMCn3
