A new macOS infostealer variant has been observed impersonating three different tech giants in a single infection chain.
SentinelOne researchers have detailed a new build of the SHub Stealer family, tagged “Reaper,” that uses fake WeChat and Miro installer pages as initial lures.
The payload was hosted on mlcrosoft[.]co[.]com, a typo-squatted domain designed to pass casual inspection as a Microsoft URL, executed under a fake Apple XProtectRemediator update, and established persistence from a directory mimicking Google Software Update. The primary C2 was hebsbsbzjsjshduxbs[.]xyz, handling data exfiltration, 60-second heartbeat beacons, and backdoor command delivery.
The malware family is not new. Researchers at Moonlock, Jamf, and Malwarebytes have tracked earlier SHub builds over the past two years. What changes in the Reaper variant is the breadth of brand impersonation, a sidestep of Apple’s recent Terminal mitigations, and an upgrade from credential stealer to persistent backdoor.
Apple Terminal Bypass and a Google-Branded Backdoor
Earlier SHub builds relied on classic “ClickFix” social engineering, convincing victims to paste commands into Terminal.
Apple’s Tahoe 26.4 release closed that path. Reaper sidesteps the fix by invoking the applescript:// URL scheme to launch macOS Script Editor with a malicious payload pre-loaded, padded with ASCII characters to push the malicious command below the visible window area when the victim clicks Run.
Before executing, the malware looks for Russian-language input sources on the host. If it finds them, the malware reports a cis_blocked event and quits.
Reaper harvested credentials from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion, along with browser extensions and desktop wallet applications including Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite. It then runs an Atomic macOS Stealer (AMOS)-style Filegrabber routine across the Desktop and Documents folders. Document theft is staged in a temporary directory and split into 70MB ZIP chunks for chunked upload to the C2.
Then comes the persistence layer. Reaper drops a Base64-decoded bash script and registers it via a LaunchAgent mimicking the real Google updater. The script beacons to the C2 every 60 seconds and executes any returned payload, giving operators a backdoor for follow-on commands.
SentinelOne Flags Unexpected osascript Activity and LaunchAgent Creation as Key Indicators
SentinelOne said attackers favor AppleScript-driven chains because the technique runs entirely through legitimate macOS processes, leaving no new binaries behind.
“macOS users should take note of the way the infection chain layers familiar brands and trusted software cues across multiple stages,” the company said.
“For defenders, that combination reinforces the need to watch for malicious behavior like unexpected AppleScript or osascript activity, suspicious outbound traffic following Script Editor execution, or the unexpected creation of LaunchAgents or related files in namespaces associated with trusted vendors.”
