A malicious new malware is targeting macOS users, disguised as a critical system update and popular workplace software. Cybersecurity firm SentinelOne’s research unit, SentinelLABS, recently discovered this threat and shared the details with Hackread.com.
The malware is a fresh variant of an infostealer called SHub, tracked under the name Reaper. Apple recently updated its macOS Tahoe 26.4 to stop similar attacks, but researchers found that “Reaper tricks routes around that fix entirely,” making it a serious threat for Mac users.
How the Trick Works
The attack starts with fake download pages for WeChat or Miro (popular communication and workplace apps). To ensure these apps appear as trusted, attackers used a typo-squatted domain, mlcrosoft.co.com.
When someone visits these pages, hidden JavaScript code inspects their computer for specific software, IP addresses, location data, and security tools, and the attack moves forward only if the user is outside of Russia. Afterward, the user is tricked into opening a built-in Mac tool called Script Editor using a special link scheme.
This link contains the attackers’ commands hidden using blank lines and ASCII text art so the user cannot see them on the screen. If the user clicks Run, a fake message pops up as an official Apple security update for XProtectRemediator, which, instead of updating the computer, starts downloading files from the internet using the curl tool.
Stealing Files and Staying Hidden
After initial access, the next stage starts where a pop-up box asks the user for their main computer login password- a crucial step in the attack. If obtained, Reaper starts to decrypt and steal saved data from major browsers like Firefox, Chrome, Edge, Brave, Opera, Vivaldi, Arc, and Orion, and also targets password managers like 1Password and cryptocurrency wallets like MetaMask.
Researchers noted that, like Atomic macOS Stealer, Reaper also includes a document-stealing feature. It searches the user’s Desktop and Documents folders for financial or business files under 2MB, and images under 6 MB to 150 MB.
If the stolen files are too big, Reaper runs a script to split them into smaller 70MB zipped parts before transferring them to the hackers’ gateway server at hebsbsbzjsjshduxbs.xyz. It even replaces real cryptocurrency wallet applications with fake versions to monitor future activity.
Most concerning aspect, though, is Reaper leaving a permanent backdoor by creating a hidden folder structure exactly like a legitimate Google Software Update path. Every 60 seconds, this hidden file communicates to the hackers’ server endpoint, and if the server sends back a code, the script runs it with the user’s high privileges, allowing attackers to send new commands or install more advanced malware later.”
The Reaper build shows that SHub operators are extending their malware beyond straightforward credential and wallet theft. Alongside an AMOS-style Filegrabber and chunked uploads, the variant also installs a persistent backdoor, giving the operators more ways to steal data or pivot to other malicious installs after the initial compromise,” researchers concluded in the blog post.
Researchers urge Mac users to immediately close the Mac Script Editor if a web link forces it to open and avoid downloading apps from unverified websites.
