Threat actors have resurfaced with an upgraded SHub stealer for macOS, now branded “Reaper,” and they’re using a stealthy distribution trick that should worry every Mac user.
Attackers build fake download pages for popular apps (WeChat, Miro and others) and employ an automated ClickFix technique that opens Apple’s Script Editor preloaded with malicious code.
One click of the Script Editor’s Play button starts a multi-stage infection that ultimately steals browser data, crypto wallets, documents, and installs a hidden backdoor.
Fake pages point at spoofed domains and even host payloads on typo-squatted Microsoft-style addresses.
The attackers also reference what look like official Apple or Google update files to build trust, and they place malware under paths such as ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ to masquerade as legitimate services.
What makes Reaper especially dangerous is its blended capability set. Earlier SHub variants already exfiltrated browser credentials, macOS Keychains, iCloud tokens, Telegram sessions, and developer resources.
The Reaper build adds AMOS-style file grabbing and a targeted attack on desktop cryptocurrency wallets. It searches Documents and Desktop for high-value file types (.docx, .pdf, .wallet, .key, .json, .xlsx and more), zips and shards the results, and uploads them to an attacker-controlled command-and-control endpoint.
SentinelOne said in a report shared with GBhackers, documented the latest wave and showed how threat actors combine social engineering and brand spoofing to appear legitimate.
For crypto, Reaper does not merely replace wallet apps; it modifies their local code to siphon funds when the wallet is used. SentinelOne’s analysis shows the malware edits legitimate wallet application files for Exodus, Atomic, Ledger Live, Electrum, Trezor Suite and others to intercept secrets and transactions.
Reaper also contains obvious anti-analysis checks: it detects if the Mac’s keyboard is set to Russian and aborts if so, a common sign that operators exclude local jurisdictions.
New SHub Stealer Variant
The infection flow often prompts a fake system password dialog to trick users into granting permissions, then persists via a LaunchAgent that runs a Base64-encoded “GoogleUpdate” script on startup.
Because the attack leverages Apple’s own Script Editor and plausible-looking web pages, it’s harder for nontechnical users to recognize the threat.
How to protect yourself from Reaper and similar macOS stealers: maintain healthy skepticism for download pages and unexpected “fix this” instructions; never paste or run code from web pages unless you can verify its source; refuse to hit the Play button in Script Editor unless you created the script yourself; check URLs carefully and avoid downloads from third‑party or mirror sites that look unofficial.
For layered protection and ongoing monitoring, consider endpoint products like Moonlock, which advertises detection of many stealer variants and offers a trial.
This campaign shows a worrying trend: attackers reuse successful distribution tricks and combine features from different stealers to create more capable hybrids.
For Mac users, the lesson is simple: don’t let convenience override caution. Verify downloads at the official vendor site, avoid executing unfamiliar scripts, keep macOS and applications updated, and use a trusted security solution to catch stealthy, multi-stage threats like Reaper.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
