A new variant of the ‘SHub’ macOS infostealer uses AppleScript to show a fake security update message and installs a backdoor.
Dubbed Reaper, the new version steals sensitive browser data, collects documents and files that may contain financial details, and hijacks crypto wallet apps.
Unlike earlier SHub campaigns that relied on “ClickFix” tactics, tricking users into pasting and executing commands in Terminal, the Reaper relies on the applescript:// URL scheme to launch the macOS Script Editor preloaded with a malicious AppleScript.
This approach bypasses the Terminal-based mitigations Apple introduced in late March with macOS Tahoe 26.4, which blocked pasting and executing potentially harmful commands.
SentinelOne researchers identified the new SHub infostealer variant and found that users were lured with a fake installer for WeChat and Miro applications hosted on domains made to appear legitimate to less experienced users (e.g., qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com).
Currently, the fake QQ and Microsoft domains still serve fake WeChat installers, while the one impersonating the Miro visual collaboration platform redirects to the legitimate website.
BleepingComputer noticed that download buttons for Windows and Android serve the same executable hosted in a Dropbox account.
Before invoking the AppleScript, the malicious websites fingerprint the visitor’s device to check for virtual machines and VPNs, which may indicate an analysis machine and enumerate installed browser extensions for password managers and cryptocurrency wallets. All telemetry data is delivered to the attacker via a Telegram bot.
SentinelOne’s report today notes that the script with the command that fetches the payload is constructed dynamically and hidden under ASCII art.
Source: SentinelOne
When the victim clicks ‘Run,’ the script displays a fake Apple security update message referencing XProtectRemediator, downloads a shell script using ‘curl,’ and executes it silently via ‘zsh.’
Before deploying its data-theft logic, the malware performs a system check to determine if the victim uses a Russian keyboard/input, and if there’s a match, it reports a ‘cis_blocked’ event to the command-and-control (C2) server and exits without infecting the system.
If the host is not Russian, Reaper retrieves and executes the malicious AppleScript with the data theft routine using the osascript command-line tool built into macOS.
Upon launch, it prompts the user for their macOS password, which can then be used to access Keychain items, decrypt credentials, and access protected data. Next, the infostealer targets the following:
- Browser data from Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion
- Cryptocurrency wallet browser extensions, including MetaMask and Phantom
- Password manager browser extensions, including 1Password, Bitwarden, and LastPass
- Desktop cryptocurrency wallet applications, including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite
- iCloud account data
- Telegram session data
- Developer-related configuration files
Reaper also includes a “Filegrabber” module that searches the Desktop and Documents folders for file types likely to contain sensitive info. It collects targeted files smaller than 2MB, or up to 6MB in the case of PNG image files, with a limit for the total volume set to 150MB.
Source: SentinelOne
When wallet applications are present, hijacks them by terminating their processes and replacing the legitimate core application file with a malicious one called app.asar downloaded from the command-and-control (C2) server.
To avoid any Gatekeeper alerts, the SHub Reaper malware “clears the quarantine attributes with xattr -cr and uses ad hoc code signing on the modified application bundle,” the researchers explain.
Source: SentinelOne
SentinelOne warns that the malware establishes persistence by installing a script impersonating the Google software update and registers it using LaunchAgent. The script is executed every minute and acts as a beacon that sends system info to the C2.
If the script receives a payload, it can decode and execute it in the context of the current user, and then delete the file, thus giving the attacker extended access to the machine.
SentinelOne highlights that SHub operator is extending the infostealer’s capabilities to include remote access to compromised devices, which could allow fething additional malware.
The researchers have provided a set of indicators of compromise that could help defenders protect against malicious behavior associated with the new SHub Reaper infostealer variant.
SentinelOne recommends monitoring for suspicious outbound traffic after Script Editor execution, or new LaunchAgents and related files in the namespace of trusted vendors.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
