Security researchers say a new macOS infostealer called SHub Reaper disguises itself as Apple security software to steal passwords, cryptocurrency wallets, and sensitive files.
HTML source code showing the construction of the malicious AppleScript. Image credit: SentinelOne
HTML source code showing the construction of the malicious AppleScript. Image credit: SentinelOneThe malware abuses AppleScript and legitimate macOS system processes to hide its activity and avoid some traditional malware scanning tools.
SentinelOne said Reaper is a more advanced version of the SHub Stealer malware family that has circulated through macOS-focused criminal campaigns for the last two years. Earlier SHub variants relied on fake installers and “ClickFix” social engineering tricks that pushed victims into pasting malicious commands into Terminal.
Reaper expands on those tactics by abusing trusted macOS tools and familiar branding to make the malware look legitimate. Attackers now move that process into Script Editor through the `applescript://` URL scheme.