Ethical Hacking News
A new macOS malware campaign known as "Reaper" has been discovered to target users by exploiting their trust in fake installer websites and social engineering tactics. The Reaper stealer is a highly advanced piece of software that can steal sensitive information, including passwords, wallets, and cryptocurrency funds, from infected devices. Mac users are advised to be cautious when visiting unfamiliar websites and to keep their operating systems up to date to minimize the risk of infection.
Mac users are facing a new malware campaign called "Reaper" that targets macOS devices. The Reaper stealer uses social engineering tactics to trick users into installing malicious code on their devices. The attack collects sensitive information about the user's system and browser, including IP address, location, and WebGL fingerprinting data. The malware opens a fake AppleScript app with a disguised link that executes a malicious command when clicked. The Reaper stealer steals login details, encrypts credentials, and searches for business or financial files on the user's Desktop and Document folders. The malware also infects cryptocurrency tools to steal funds and sends system details to the attacker's server every 60 seconds. The Reaper stealer creates hidden directories and files to remain undetected and makes it difficult for users to detect its presence.
Mac users are facing a new and sophisticated threat to their online security, as a malware campaign known as "Reaper" has been discovered to target macOS devices. The Reaper stealer is a highly advanced piece of software that uses social engineering tactics to trick users into installing malicious code on their devices.
According to SentinelOne research engineer Phil Stokes, the attack starts with fake WeChat and Miro installer websites, hosted on a domain designed to instill trust in users by typo-squatting a Microsoft URL: mlcrosoft[.]co[.]com. When a user visits these pages, hidden JavaScript collects a ton of information about their system and browser, including IP address, location, WebGL fingerprinting data, and indicators of virtual machines or VPNs.
The attack stops if the victim is located in Russia, but if they are not, it opens Apple's Script Editor app via a sneaky link that's heavily padded with ASCII art and fake terms to push the malicious command far below the visible portion of the window when it loads. When the victim clicks "Run" in Script Editor, the hidden command executes the malicious AppleScript and displays a popup message purporting to be a security update for Apple's XProtectRemediator tool.
Instead of updating the security tool, however, it calls a curl command to silently download the shell script and asks the victim to enter their login details – which are scraped and used to decrypt various credentials. The Reaper stealer does all of this and more, including a filegrabber that searches for files that contain business or financial info in the user's Desktop and Document folders.
This approach is similar to the document-theft functionality seen in Atomic macOS Stealer (AMOS). The script also searches for several desktop cryptocurrency tools, including Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite. If it finds any, it injects the wallet with malware to ensure continued funds theft.
To ensure persistence, the Reaper stealer creates a directory structure designed to mimic Google Software Update: ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/. The LaunchAgent executes the target script GoogleUpdate every 60 seconds, functioning as a beacon that sends system details to the C2's /api/bot/heartbeat endpoint. This ensures the attacker can remotely execute code on the backdoored machine.
The Reaper stealer also creates hidden files in various locations, including ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/, which allows it to remain undetected for a long time. The attackers have made sure that this malware does not leave any visible evidence of its presence on the infected device, making it incredibly difficult to detect.
The Reaper stealer is just one example of the sophisticated threats that are emerging in the world of cybersecurity. As technology continues to evolve and become more complex, so too do the tactics used by attackers. It's essential for users to remain vigilant and take steps to protect themselves from these types of attacks.
In conclusion, the Reaper stealer is a highly advanced piece of malware that uses social engineering tactics to trick users into installing malicious code on their devices. Its sophisticated features make it incredibly difficult to detect, and its ability to steal sensitive information makes it a significant threat to macOS users. As technology continues to evolve, it's essential for users to stay informed and take steps to protect themselves from these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Reaper-Stealer-A-Sophisticated-macOS-Malware-Campaign-that-Exploits-User-Trust-ehn.shtml
https://www.theregister.com/security/2026/05/19/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them/5242258
Published: Mon May 18 19:46:53 2026 by llama3.2 3B Q4_K_M
