Here’s the thing: it’s not about brute force anymore. This latest iteration of the SHub macOS infostealer, codenamed ‘Reaper,’ isn’t blasting past your defenses with sheer power; it’s whispering its way in, cloaked in the guise of something you want to see. A legitimate-sounding security update from Apple, no less.
This isn’t just another piece of malware stealing your browser cookies. Reaper, as it’s been dubbed by the SentinelOne researchers who unearthed it, is a sophisticated tool. It pilfers sensitive browser data, hoovers up documents that might contain your banking details, and worse, actively hijacks cryptocurrency wallet applications. We’re talking about direct access to your digital lifeblood.
The Shift From ‘ClickFix’ to Script Editor
What makes this variant particularly concerning is how it sidesteps the defenses Apple recently put in place. Remember those late March updates? macOS Tahoe 26.4, specifically, patched up the habit of users mindlessly pasting commands into the Terminal. SHub’s previous iterations relied heavily on this ‘ClickFix’ tactic—trick users into executing arbitrary code. Reaper, however, opts for a subtler approach: it use the <a href="/tag/applescript/">applescript</a>:// URL scheme. This neatly preloads the macOS Script Editor with malicious AppleScript, rendering the Terminal-based fixes largely irrelevant.
The Lure: Fake Apps, Real Domains?
Users are being drawn in through a meticulously crafted phishing net. Domains like qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, and mlroweb[.]com are designed to look legitimate, especially to less discerning eyes. They masquerade as download portals for popular applications like WeChat and Miro. While some redirect to the actual Miro site (a clever way to build trust), others serve up fake installers, the first domino in a chain leading to compromise.
What’s particularly insidious is the pre-infection reconnaissance. Before even thinking about serving the payload, these malicious websites fingerprint your device. They’re checking for virtual machines and VPNs—indicators of an analyst or a careful user. They’re also enumerating your installed browser extensions, specifically looking for password managers and crypto wallets. All this data? It’s neatly packaged and sent to the attacker via a Telegram bot.
Hiding in Plain Sight: ASCII Art and Dynamic Code
SentinelOne’s report shines a light on the sheer ingenuity at play. The command that fetches the actual malware payload is constructed dynamically and, get this, hidden beneath ASCII art. It’s a digital camouflage that’s as bizarre as it is effective. When a user clicks ‘Run’ on the seemingly innocuous AppleScript, the malware conjures a fake Apple security update message, mentioning XProtectRemediator—a legitimate Apple security tool—to further lull the victim. It then uses curl to download a shell script and zsh to execute it silently in the background.
When the victim clicks ‘Run,’ the script displays a fake Apple security update message referencing XProtectRemediator, downloads a shell script using ‘curl,’ and executes it silently via ‘zsh.’
A Geopolitical Twist
Before the data-stealing routine kicks in, Reaper performs a fascinating system check. It probes the user’s keyboard and input language settings, looking for a match with Russian. If it detects a Russian keyboard layout, the malware reports a cis_blocked event to its command-and-control (C2) server and bails. This suggests a deliberate effort to avoid targeting Russian-speaking users, a tactic often seen in nation-state or politically motivated attacks, or perhaps simply an attempt to minimize detection by researchers in that region.
The Depth of Data Theft
For those who aren’t Russian keyboard users, the real assault begins. The malware prompts for the user’s macOS password—your master key to Keychain items and protected data. Then, it systematically targets an alarming array of sensitive information:
- Browser data from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion.
- Crypto wallet extensions like MetaMask and Phantom.
- Password managers like 1Password, Bitwarden, and LastPass.
- Desktop crypto wallets: Exodus, Atomic Wallet, Ledger Live, Electrum, Trezor Suite.
- iCloud account details.
- Telegram session data.
- Even developer-specific configuration files are on the menu.
Hijacking Wallets and Evading Gatekeeper
Reaper’s ‘Filegrabber’ module is equally concerning, scanning Desktop and Documents for files likely containing sensitive information, with specific size limits for collection. But its most aggressive move involves cryptocurrency wallet applications. It doesn’t just steal data; it actively hijacks these apps. It terminates their legitimate processes and replaces their core application files with a malicious .asar file downloaded from the C2. To ensure these tampered applications run without a hitch, the malware ruthlessly clears quarantine attributes using xattr -cr and then performs ad hoc code signing on the modified bundle, effectively fooling macOS’s Gatekeeper.
Persistence and Remote Access
How does it maintain its grip? By impersonating a Google software update. A malicious script is installed as a LaunchAgent, executing every minute, acting as a silent beacon that pings the C2 with system info. If the C2 sends back a payload, this script can decode and execute it within the current user’s context, then delete itself, leaving behind an attacker with persistent, elevated access. SentinelOne’s researchers point out that the SHub operators are evolving the infostealer to include remote access capabilities, opening the door to downloading and executing even more malware. It’s a modular threat, designed to grow its capabilities.
What Does SHub Reaper Actually Do?
SHub Reaper is an advanced macOS infostealer. It tricks users into running malicious AppleScripts disguised as security updates, steals a wide range of sensitive data including browser credentials, cryptocurrency wallet information, and documents, and can even hijack crypto wallet applications by replacing their core files. It also establishes persistence using LaunchAgents and can provide remote access to compromised systems.
How Does Reaper Bypass macOS Security?
Reaper bypasses macOS security by exploiting the applescript:// URL scheme to launch the Script Editor with malicious code, circumventing Terminal-based protections. It also clears quarantine attributes (xattr -cr) and uses ad hoc code signing to evade Gatekeeper checks on its modified payloads.
Is This a New Type of Mac Malware?
While SHub itself isn’t new, this variant, Reaper, represents a significant evolution. Its sophisticated social engineering (spoofing Apple updates), evasion techniques (bypassing Terminal mitigations, ad hoc code signing), and aggressive hijacking of applications (crypto wallets) showcase a new level of threat targeting macOS users.
