{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/google-software-update/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WeChat","Miro","macOS Script Editor","Google Software Update"],"_cs_severities":["high"],"_cs_tags":["macos","infostealer","backdoor","social-engineering","applescript"],"_cs_type":"advisory","_cs_vendors":["Apple","Google","Microsoft"],"content_html":"\u003cp\u003eThe SHub Reaper stealer is a macOS infostealer that blends traditional stealer functionality with persistent backdoor capabilities. It is distributed through social engineering lures such as fake WeChat and Miro installers. This malware demonstrates a shift in macOS malware behavior, moving away from ClickFix social engineering to Apple script-based execution to evade detection. SHub Reaper leverages a unique multi-brand spoofing technique, impersonating Apple, Google, and Microsoft across the infection chain. The malware installs a fake Google Update framework to maintain persistence and establishes a backdoor, allowing for arbitrary command execution and continuous compromise of the infected system. This represents an evolution in macOS infostealers, combining \u0026ldquo;smash-and-grab\u0026rdquo; data theft with long-term access and control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack starts with malicious web pages offering fake Miro and WeChat installers.\u003c/li\u003e\n\u003cli\u003eVictims download and execute the fake installers, initiating the infection chain.\u003c/li\u003e\n\u003cli\u003eThe malware may be hosted on a typosquatted Microsoft domain.\u003c/li\u003e\n\u003cli\u003eThe installer executes under the guise of a fake Apple security update.\u003c/li\u003e\n\u003cli\u003eSHub Reaper installs a fake Google Update framework under the user Library paths for persistence.\u003c/li\u003e\n\u003cli\u003eA LaunchAgent is registered using Google Keystone-style naming conventions to ensure the malware runs regularly.\u003c/li\u003e\n\u003cli\u003eThe malware beacons to a command and control server every 60 seconds, supporting arbitrary command execution.\u003c/li\u003e\n\u003cli\u003eThe malware steals credentials, hijacks crypto wallets, and exfiltrates documents while maintaining persistent backdoor access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful SHub Reaper infections can lead to significant data loss, including sensitive credentials, cryptocurrency assets, and confidential documents. The persistent backdoor allows attackers to maintain long-term access to compromised systems, enabling further data theft, command execution, and potential lateral movement within the network. The shift from ClickFix tactics to AppleScript execution renders traditional terminal-centric detections ineffective, increasing the risk of successful compromise. This combination of stealer and backdoor capabilities makes SHub Reaper a particularly dangerous threat to macOS users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unexpected invocations of Script Editor (\u003ccode\u003eScript Editor.app\u003c/code\u003e) to detect potential AppleScript-based execution, as outlined by SentinelOne\u0026rsquo;s report.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting \u003ccode\u003eosascript\u003c/code\u003e spawning \u003ccode\u003ecurl\u003c/code\u003e or shell interpreters to identify malicious AppleScript activity.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule for detecting browser-to-AppleScript execution chains to identify potential initial access vectors.\u003c/li\u003e\n\u003cli\u003eEducate macOS users to be wary of software installers from untrusted sources and to verify the authenticity of software updates, as this is the primary infection vector.\u003c/li\u003e\n\u003cli\u003eMonitor user Library paths for the installation of unexpected Google Update frameworks and LaunchAgents with Google Keystone-style naming conventions, as these are indicators of persistence.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:53:19Z","date_published":"2026-05-19T19:53:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-shub-reaper-macos-backdoor/","summary":"The SHub Reaper stealer combines credential theft, wallet hijacking, and document exfiltration with persistent backdoor access on macOS, distributed through fake WeChat and Miro installers while spoofing Apple, Google, and Microsoft to evade detection.","title":"SHub Reaper Stealer Backdoors macOS with Multi-Brand Spoofing","url":"https://feed.craftedsignal.io/briefs/2026-05-shub-reaper-macos-backdoor/"}],"language":"en","title":"CraftedSignal Threat Feed — Google Software Update","version":"https://jsonfeed.org/version/1.1"}