A newly disclosed macOS infostealer campaign is exploiting user trust in some of the biggest names in tech to slip past defenses.
Researchers at SentinelOne have detailed a new variant of the SHub malware family, dubbed “Reaper,” that impersonates Apple, Google, and Microsoft at different stages of a single attack chain targeting Mac users. The SHub stealer family, identified two years back, previously used variants relying on fake installers and ClickFix-style social engineering, often prompting victims to paste commands into Terminal.
Reaper changes tactics by moving execution into Apple’s Script Editor, sidestepping the protections Apple recently introduced to curb Terminal-based attacks. The end goal, however, remains credential theft, wallet compromise, and persistent access.
“The SHub Reaper variant represents a noteworthy evolution in macOS infostealers by shifting away from standard social engineering tactics that require victims to manually paste commands into the Terminal,” said Jason Soroko, senior fellow at Sectigo. “This approach lowers the technical barrier for infection and demonstrates a strategic pivot toward abusing native application handlers rather than relying purely on user error.”
Fake Apple updates run hidden AppleScript
The attack starts with users pulled onto malicious websites displaying fake Apple security alerts. The pages then initiate a ClickFix workflow by instructing users to launch a supposed fix through the Script Editor, instead of the Terminal.
Rather than getting the user to copy and paste shell commands like earlier, Reaper now abuses the applescript:// URI handler to pre-populate malicious AppleScript inside Script Editor. The victim is then socially engineered, through the ClickFix, into running the script themselves.
So the victims are still executing the malware themselves, but just can’t see it anymore.
SentinelOne researchers noted the malware also performs several environment and anti-analysis checks before continuing execution. Once active, the malware deploys additional payloads and establishes persistence through LaunchAgents posing as legitimate vendor files.
“Defenders should shift macOS detection from file signatures to behavior, because Reaper executes through legitimate Apple tools and drops no obvious malicious app for a scanner to catch,” said Collin Hogue-Spears, senior director of solution management at Black Duck. “Script Editor, osascript, and a LaunchAgent are all legitimate software.”
The multi-brand deception
Researchers observed the malware using branding associated with multiple technology companies throughout the attack chain. Apple-themed security warnings lure victims into initiating execution, Google-related interfaces help maintain legitimacy during later stages, while Microsoft-themed domains and infrastructure are used elsewhere in the operation.
“Reaper uses fake WeChat and Miro installers as lures, but what stands out is the way the infection chain shifts its disguise at each stage,” the researchers said in a blog post. “The payload may be hosted on a typo-squatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory.”
Once execution succeeds, Reaper starts harvesting sensitive user data. SentinelOne said the malware targets browser credentials, password managers, Keychain data, cryptocurrency wallets such as MetaMask and Phantom, messaging applications, and user documents.
Protection beyond blocking Terminal-pastes
SHub Reaper campaign’s complete abandonment of the traditional Terminal-centric infection flow appears to be tied to Apple’s recent efforts to crack down on Terminal paste abuse.
In macOS Tahoe 26.4, Apple introduced protections that display warnings when users attempt to paste potentially dangerous commands into Terminal, directly targeting the social engineering methods widely abused in ClickFix-style attacks.
“This is not an Apple security failure,” Hogue-spears said. “It is Apple’s fix working exactly as intended. The fix raised the cost of one technique; so the crew switched to another.” Apple did not immediately respond to CSO’s request for comments.
SentinelOne researchers recommended that defenders monitor for unusual Script Editor activity and investigate where “osascript” or AppleScript-related processes spawn unexpected processes or initiate outbound network connections. They also advised organizations to watch for suspicious LaunchAgent persistence mechanisms posing as legitimate Apple, Google or Microsoft components.
Additionally, Soroko suggested network-based protections. “Security teams should implement strict web filtering to intercept typo-squatted domains and monitor for anomalous invocations of the macOS Script Editor triggered directly by web browsers,” he said.
No Responses