Ethical Hacking News
A new variant of the SHub macOS infostealer has been discovered that uses AppleScript to steal sensitive data from infected Mac users. Dubbed "Reaper," this malicious software bypasses security measures introduced by Apple in late March with macOS Tahoe 26.4, and establishes persistence on affected systems. It is essential for defenders to be aware of this new threat and take necessary precautions to protect their users.
The "Reaper" malware variant has been discovered, designed to steal sensitive data from infected Mac users. The malware uses AppleScript to bypass security measures and install a backdoor on affected systems. The malicious software is lured onto infected Macs through fake installer files for popular applications. The Reaper malware executes a system check to determine if the victim uses a Russian keyboard/input, and reports a 'cis_blocked' event if matched. The infostealer prompts users for their macOS password, allowing access to Keychain items and protected data. The malware targets browser data, cryptocurrency wallet extensions, password manager extensions, and desktop cryptocurrency wallet applications. The Reaper malware includes a "Filegrabber" module that searches the Desktop and Documents folders for sensitive files. The malware establishes persistence by installing a script impersonating the Google software update and registers it using LaunchAgent. The Reaper malware variant is a significant threat to users, and defenders should monitor for suspicious outbound traffic and new LaunchAgents.
A new variant of the "SHub" macOS infostealer has been discovered, and it uses a clever trick to bypass security measures. Dubbed "Reaper," this malicious software is designed to steal sensitive data from infected Mac users.
According to researchers at SentinelOne, the Reaper malware uses AppleScript to show a fake security update message and install a backdoor on the affected systems. This approach allows it to bypass the Terminal-based mitigations introduced by Apple in late March with macOS Tahoe 26.4, which blocked pasting and executing potentially harmful commands.
The malicious software is lured onto infected Macs through fake installer files for popular applications such as WeChat and Miro. These installers are hosted on domains that appear legitimate to less experienced users, including qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, and mlroweb[.]com.
Before invoking the AppleScript, the malicious website fingerprinting the visitor's device to check for virtual machines and VPNs, which may indicate an analysis machine and enumerate installed browser extensions for password managers and cryptocurrency wallets. All telemetry data is delivered to the attacker via a Telegram bot.
The Reaper malware executes a system check to determine if the victim uses a Russian keyboard/input, and if there’s a match, it reports a ‘cis_blocked’ event to the command-and-control (C2) server and exits without infecting the system. If the host is not Russian, Reaper retrieves and executes the malicious AppleScript with the data theft routine using the osascript command-line tool built into macOS.
Upon launch, it prompts the user for their macOS password, which can then be used to access Keychain items, decrypt credentials, and access protected data. Next, the infostealer targets the following:
Browser data from Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion
Cryptocurrency wallet browser extensions, including MetaMask and Phantom
Password manager browser extensions, including 1Password, Bitwarden, and LastPass
Desktop cryptocurrency wallet applications, including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite
iCloud account data
Telegram session data
Developer-related configuration files
Reaper also includes a “Filegrabber” module that searches the Desktop and Documents folders for file types likely to contain sensitive info. It collects targeted files smaller than 2MB, or up to 6MB in the case of PNG image files, with a limit for the total volume set to 150MB.
When wallet applications are present, hijacks them by terminating their processes and replacing the legitimate core application file with a malicious one called app.asar downloaded from the command-and-control (C2) server. To avoid any Gatekeeper alerts, the SHub Reaper malware "clears the quarantine attributes with xattr -cr and uses ad hoc code signing on the modified application bundle," researchers explain.
SentinelOne warns that the malware establishes persistence by installing a script impersonating the Google software update and registers it using LaunchAgent. The script is executed every minute and acts as a beacon that sends system info to the C2.
If the script receives a payload, it can decode and execute it in the context of the current user, and then delete the file, thus giving the attacker extended access to the machine.
The researchers highlight that SHub operator is extending the infostealer's capabilities to include remote access to compromised devices, which could allow fetching additional malware.
In conclusion, the Reaper malware variant of SHub uses a sophisticated approach to bypass security measures on Mac systems. Its ability to steal sensitive data and establish persistence makes it a significant threat to users. It is essential for defenders to monitor for suspicious outbound traffic after Script Editor execution, or new LaunchAgents and related files in the namespace of trusted vendors.
Related Information:
https://www.ethicalhackingnews.com/articles/New-SHub-macOS-Infostealer-Variant-Uses-AppleScript-to-Steal-Sensitive-Data-ehn.shtml
https://www.bleepingcomputer.com/news/security/shub-macos-infostealer-variant-spoofs-apple-security-updates/
Published: Mon May 18 18:00:00 2026 by llama3.2 3B Q4_K_M
