A recently discovered version of the ‘SHub’ macOS infostealer leverages AppleScript to display a deceptive security update alert and deploys a backdoor onto the system.
Known as Reaper, this updated variant harvests sensitive browser information, gathers files and documents potentially holding financial data, and takes control of cryptocurrency wallet applications.
Previous SHub infection campaigns depended on “ClickFix” techniques, which duped users into copying and running commands in Terminal. Reaper, in contrast, takes advantage of the applescript:// URL scheme to open the macOS Script Editor with a preloaded malicious AppleScript.
This method gets around Apple’s Terminal-focused protections rolled out in late March via macOS Tahoe 26.4, which prevented pasting and running potentially dangerous commands.
Researchers at SentinelOne spotted the new SHub variant and determined that victims were enticed through counterfeit installers for WeChat and Miro apps hosted on websites crafted to seem trustworthy to less tech-savvy visitors (for instance, qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com).
Right now, the fraudulent QQ and Microsoft domains continue distributing bogus WeChat installers, whereas the domain impersonating the Miro visual collaboration platform now redirects visitors to the real site.
BleepingComputer observed that the download links for Windows and Android platforms serve an identical executable stored in a Dropbox account.
Before triggering the AppleScript, the malicious websites profile the visitor’s device to detect virtual machines and VPNs—which could signal an analytics environment—and catalog installed browser extensions tied to password managers and crypto wallets. All gathered telemetry is forwarded to the attacker through a Telegram bot.
In SentinelOne’s latest report, researchers note that the script containing the payload-downloading command is generated on the fly and concealed beneath ASCII art.
Source: SentinelOne
When the victim presses ‘Run,’ the script presents a fake Apple security update message that references XProtectRemediator, fetches a shell script with ‘curl,’ and runs it silently through ‘zsh.’
Before carrying out its data-stealing routine, the malware checks whether the victim has a Russian keyboard or input method active. If it finds a match, it logs a ‘cis_blocked’ event with the command-and-control (C2) server and shuts down without infecting the device.
If the host is not flagged as Russian, Reaper downloads and executes the malicious AppleScript that contains the data-theft logic using the built-in macOS osascript command-line utility.
Once it launches, it requests the user’s macOS password, which grants access to Keychain-stored items, allows credential decryption, and unlocks protected data. Afterward, the infostealer goes after the following targets:
- Browser data from Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion
- Browser extensions tied to cryptocurrency wallets, such as MetaMask and Phantom
- Browser extensions associated with password managers, such as 1Password, Bitwarden, and LastPass
- Desktop cryptocurrency wallet applications, including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite
- iCloud account data
- Telegram session data
- Developer-related configuration files
Reaper also features a “Filegrabber” module that scans the Desktop and Documents folders for file types likely to hold sensitive content. It seeks out files under 2MB, or up to 6MB for PNG images, with a cumulative size cap of 150MB.
Source: SentinelOne
When crypto wallet apps are detected, Terminate their processes and swap out the genuine core application file with a malicious substitute named app.asar fetched from the command-and-control (C2) server.
To sidestep Gatekeeper warnings, the SHub Reaper malware “removes quarantine attributes using xattr -cr and applies ad hoc code signing to the tampered application bundle,” the researchers detail.
Source: SentinelOne
SentinelOne cautions that the malware maintains persistence by installing a script disguised as a Google software update and registering it via LaunchAgent. This script runs once every minute and functions as a beacon, sending system details to the C2 server.
Should the script receive a command payload, it can decode and run it within the context of the current user, then erase the file—effectively granting the attacker broadened access to the machine.
SentinelOne points out that the SHub operator is broadening the infostealer’s functionality to include remote access to compromised machines, potentially enabling the deployment of additional malware.
The researchers have compiled a list of indicators of compromise to assist defenders in recognizing and blocking malicious activity linked to the new SHub Reaper variant.
SentinelOne advises monitoring for unusual outbound traffic following Script Editor execution, as well as any newly registered LaunchAgents and related files that appear under the namespace of trusted vendors.
Automated pentesting solutions provide genuine value, but they were designed to answer a single question: can an attacker traverse the network? They were not designed to verify whether your controls stop threats, your detection rules trigger properly, or your cloud configurations remain intact.
This guide covers the 6 areas you genuinely need to assess.
Download Now
