Skip to main content
Emerging ThreatsMalware & Ransomware

SHub Infostealer Variant Reaper Exploits macOS Security Updates

Cluttered home office desk with Mac laptop showing AppleScript code and fake app installer in background.

"clears the quarantine attributes with xattr -cr and uses ad hoc code signing on the modified application bundle," the researchers explain.

How Reaper tricks macOS users and sidesteps Tahoe 26.4

Researchers at SentinelOne discovered a new SHub macOS infostealer variant, dubbed Reaper, that abandons the earlier "ClickFix" trick of pasting Terminal commands and instead uses the applescript:// URL scheme to launch the macOS Script Editor preloaded with a malicious AppleScript. That shift explicitly bypasses the paste-and-run mitigations Apple introduced in late March with macOS Tahoe 26.4, which blocked pasting and executing potentially harmful commands in Terminal.

The malicious campaign lures victims with fake installers for WeChat and Miro hosted on domains crafted to look legitimate to less experienced users — examples include qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, and mlroweb[.]com. SentinelOne reports that the fake QQ and Microsoft domains still serve fake WeChat installers, while the Miro-impersonating domain redirects to the legitimate site. BleepingComputer also observed that download buttons for Windows and Android deliver the same executable hosted in a Dropbox account.

Device fingerprinting, delivery, and the Russian-language kill-switch

Before presenting the Script Editor prompt, the malicious sites fingerprint visitors to detect virtual machines and VPNs — common indicators of an analysis environment — and enumerate installed browser extensions to identify password managers and cryptocurrency wallets. All telemetry is relayed to the attacker via a Telegram bot, SentinelOne says.

The AppleScript that ultimately fetches the payload is built dynamically and obfuscated beneath ASCII art. When a victim clicks "Run," the script impersonates an Apple security update referencing XProtectRemediator, downloads a shell script using curl, and executes it silently through zsh. Notably, the malware contains a regional check: if the host uses a Russian keyboard or input, the program reports a "cis_blocked" event to the command-and-control (C2) server and exits without infecting the machine.

What Reaper steals and how it hijacks wallets

Once active, Reaper prompts the user for their macOS password — a credential that can be used to access Keychain items, decrypt stored credentials, and unlock protected data. SentinelOne lists an extensive target set:

  • Browser data from Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion
  • Cryptocurrency wallet browser extensions, including MetaMask and Phantom
  • Password manager browser extensions, including 1Password, Bitwarden, and LastPass
  • Desktop cryptocurrency wallet applications, including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite
  • iCloud account data, Telegram session data, and developer-related configuration files

Reaper also contains a "Filegrabber" module that searches Desktop and Documents folders for likely-sensitive file types. It collects targeted files smaller than 2MB (PNG files up to 6MB) with a total volume cap set to 150MB. When desktop wallet applications are present, the malware can terminate their processes and replace a core application file with a malicious app.asar downloaded from the C2. To avoid Gatekeeper alerts, the malware clears quarantine attributes with xattr -cr and applies ad hoc code signing to the modified bundle.

Persistence, remote access, and attacker follow-on capability

SentinelOne warns that Reaper establishes persistence by installing a script that impersonates the Google software update and registering it as a LaunchAgent. The script runs every minute, acting as a beacon that sends system information to the C2. If the beacon receives a payload, it can decode and execute it in the context of the current user and then delete the file, extending the attacker's access. The SHub operator is also extending Reaper's capabilities to include remote access to compromised devices, which could allow fetching additional malware.

Indicators, detection advice, and recommended defensive actions

SentinelOne has provided a set of indicators of compromise to help defenders detect malicious behavior tied to Reaper. The vendor specifically recommends monitoring for suspicious outbound traffic following Script Editor execution and watching for new LaunchAgents and related files appearing under the namespace of trusted vendors. Those signals — unusual Script Editor activity, anomalous curl downloads executed via zsh, sudden Keychain access prompts paired with unexpected LaunchAgents — are the concrete footprints SentinelOne highlights.

What this means for end users, defenders, and application maintainers

End users: Reaper swaps a Terminal-paste trick for a Script Editor lure and a faux Apple security prompt; users who encounter an unexpected Script Editor window or an unsolicited request for their macOS password should exercise extreme caution.

Defenders and security teams: Monitor Script Editor executions, outbound connections to Telegram-based telemetry, and new LaunchAgents that impersonate legitimate updaters; check for replaced application bundles and xattr-clearing behavior.

Application maintainers and wallet developers: Be aware that an attacker replacing core application files (app.asar) and applying ad hoc signing can bypass local checks; integrity verification and monitoring of core application files are highlighted by these tactics.

SentinelOne's indicators and recommendations are available for defenders to apply; the immediate defensive levers are straightforward: watch for Script Editor as a delivery vector, monitor for the specific filesystem and LaunchAgent modifications, and treat unsolicited password prompts as high-risk events.

Original story on BleepingComputer