SHub “Reaper” — macOS Infostealer Masquerading as Apple Security Update

May 19, 2026 Faeem BLOGS 0

Overview The SHub Reaper variant represents a dangerous evolution in macOS malware. By spoofing Apple security updates through AppleScript, it bypasses recent protections and tricks users into granting elevated privileges. Once installed, it exfiltrates sensitive data, hijacks crypto wallets, and establishes persistence for long‑term access.

Attack Mechanics

  • Fake Security Update: Displays counterfeit XProtectRemediator prompts to lure users.
  • Payload Delivery: Uses curl and zsh to silently fetch and execute malicious scripts.
  • Regional Evasion: Detects Russian input methods and aborts infection to avoid scrutiny.
  • Privilege Escalation: Prompts for macOS password to unlock Keychain and decrypt credentials.
  • Data Theft: Targets browsers, password managers, crypto wallets, iCloud, and Telegram sessions.
  • Persistence: Registers a fake Google update script via LaunchAgent, beaconing every minute to the C2 server.

Targeted Applications & Data

  • Browsers: Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, Orion.
  • Crypto Wallets: MetaMask, Phantom, Exodus, Atomic Wallet, Ledger Live, Electrum, Trezor Suite.
  • Password Managers: 1Password, Bitwarden, LastPass.
  • Cloud & Messaging: iCloud accounts, Telegram sessions.
  • Filegrabber Module: Collects sensitive files (≤150MB total), prioritizing financial documents and images.

Enterprise Attack Diagram

The diagram illustrates how SHub Reaper infiltrates macOS systems, bypasses Gatekeeper, and exfiltrates sensitive data across enterprise layers.

Strategic Risk

  • Spoofed updates exploit user trust in Apple’s ecosystem.
  • Session hijacking and wallet injection compromise financial assets.
  • Persistence via LaunchAgent ensures long‑term access.
  • Targeting password managers concentrates credential theft at scale.

Defensive Guidance

  • Monitor Script Editor executions for suspicious outbound traffic.
  • Audit LaunchAgents for fake update scripts.
  • Restrict AppleScript execution in enterprise environments.
  • Deploy behavioral detection to identify anomalies in browser and wallet processes.

Final Thoughts

The SHub Reaper campaign highlights how attackers adapt quickly to platform defenses. By shifting from Terminal‑based exploits to AppleScript spoofing, they exploit user trust in Apple’s update mechanisms. For enterprises, the lesson is clear: security awareness, layered defenses, and proactive monitoring are essential to counter evolving macOS threats.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.