SHub Infostealer Variant Reaper Compromises macOS Systems, Steals iCloud Data
Published
Key Takeaways
- New macOS Stealer: Reaper targets Apple users by spoofing major tech brands, including Apple, Microsoft, and Google, to steal credentials.
- Sophisticated Evasion Tactics: The malware bypasses Terminal and defeats defenses implemented in Tahoe 26.4.
- Persistent Backdoor Access: Attackers establish persistent remote code execution through fake Google Update directories.
A new SHub infostealer variant dubbed Reaper is actively targeting macOS users through a sophisticated campaign that spoofs Apple, Microsoft, and Google. The malware utilizes the macOS Script Editor with a pre-populated malicious payload. By executing directly through the Script Editor, Reaper successfully bypasses the Terminal command-line interface and the security defenses Apple recently introduced in Tahoe 26.4.
Deceptive Installers and System Fingerprinting
SentinelOne security researchers say the attack chain initiates through fake WeChat and Miro installer websites hosted on a Microsoft typo-squatted domain – mlcrosoft.co[.]com. When visiting these malicious pages, hidden JavaScript executes to collect comprehensive system data.
This reconnaissance gathers IP addresses, physical location, WebGL fingerprinting data, and indicators of virtual machines (VMs) or VPNs. Notably, the execution terminates immediately if the host appears to be in the CIS (Commonwealth of Independent States) region.
Once deployed, Reaper conducts extensive data exfiltration across the compromised system. The malware has the same capabilities as earlier versions, stealing:
- credentials,
- password manager databases,
- browser data,
- developer-related configuration files,
- macOS Keychain records,
- iCloud data,
- Telegram session information.
Yet it adds a dedicated Filegrabber component that searches the Desktop and Documents folders for sensitive business or financial files. “The AppleScript Filegrabber handler is similar to that used by AMOS Atomic and other macOS infostealers,” the report says. “The script targets files with the extensions .docx, .doc, .wallet, .key, .keys, .txt, .rtf, .csv, .xls, .xlsx, .json, and .rdp files under 2MB, along with .png images under 6MB.”
The infostealer specifically targets cryptocurrency assets, attempting to compromise browser-based wallets like MetaMask and Phantom and desktop applications including Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite.
Persistent Backdoors and Remote Access
To maintain persistent access, Reaper backdoors the compromised macOS device by creating a hidden directory structure mimicking a legitimate service: ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/.
The malware deploys a LaunchAgent configured to execute the fake GoogleUpdate script, which functions as a beacon. This persistent connection enables threat actors to achieve remote code execution, allowing effortless deployment of additional payloads.
In March 2026, researchers at Malwarebytes have documented the rise of SHub Stealer, including its use of fake application installers and “ClickFix” social engineering, and Microsoft observed the evolution of an infostealer campaign distributing ClickFix‑style instructions and targeting macOS users with Macsync, Shub Stealer, and AMOS.
Last week, a security researcher discovered that Google Ads and Claude.ai shared chats were being abused to distribute mac malware.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular