Overview A new variant of the SHub Stealer malware, dubbed Reaper, has surfaced — and it’s far more deceptive than its predecessors. This macOS‑focused threat automates infection through fake software websites, silently compromising browsers and cryptocurrency wallets without user awareness.
Attack Mechanics
Researchers at Moonlock discovered that Reaper spreads via spoofed download portals impersonating trusted brands and tools. Instead of asking users to paste malicious code into Terminal, Reaper now automates the entire process.
| Stage | Technique | Impact |
|---|---|---|
| Fake Software Sites | Impersonate legitimate apps and updates | Gain user trust |
| ClickFix Automation | Opens Script Editor pre‑loaded with malicious code | One‑click infection |
| Brand Spoofing | Mimics Apple and Google update pathways | Installs persistent backdoors |
| Persistence Layer | Registers fake Google update service | Survives reboots and remains hidden |
This ClickFix automation trend has appeared in multiple macOS campaigns within weeks, signaling a growing adoption among threat actors.
Technical Insights
Reaper’s infection chain is multi‑stage and stealthy:
- User clicks “Download” on a fake site.
- The page opens Script Editor with malicious code.
- A single click executes the payload.
- The malware installs a backdoor disguised as a Google update service.
The campaign’s infrastructure uses typo‑squatted domains and fake Apple security updates to deliver payloads.
Targeted Applications and Data
Reaper expands SHub Stealer’s reach across major browsers and crypto wallets.
| Target Category | Examples | Data Stolen |
|---|---|---|
| Browsers | Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, Orion | Credentials, cookies, sessions |
| Crypto Wallets | Exodus, Atomic, Ledger Live, Electrum, Trezor Suite | Wallet keys, transaction data |
| Filegrabber Module | Desktop & Documents folders | Sensitive files (.docx, .wallet, .key, .csv, .xls, .json) |
Reaper modifies legitimate wallet code to redirect funds, rather than installing fake wallets — a sophisticated evolution in crypto theft.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| Domain | mlcrosoft[.]co[.]com | Typo‑squatted Microsoft domain hosting payloads |
| URL | support.apple[.]com/downloads/xprotect-remediator-150.dmg | Fake Apple update link |
| URL | hebsbsbzjsjshduxbs[.]xyz/gate/chunk | Attacker‑controlled C2 endpoint |
| File Path | ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ | Hidden backdoor directory |
| File Name | GoogleUpdate | Encoded Base64 bash script for persistence |
| LaunchAgent | com.google.keystone.agent.plist | Registers fake update service for reboots |
(Indicators are defanged to prevent accidental resolution. Re‑fang only within controlled threat‑intel platforms.)
Defensive Guidance
To stay protected:
- Avoid fake update prompts — Apple and Google never use Script Editor for updates.
- Never enter system passwords immediately after installation.
- Use cold wallets for cryptocurrency storage.
- Keep macOS and security tools updated to detect new stealer variants.
- Monitor LaunchAgents for unauthorized entries.
Expert in the Cloud Insight
The SHub Reaper campaign demonstrates how macOS malware is evolving toward automation and brand spoofing. By exploiting user trust in familiar update mechanisms, attackers bypass traditional awareness defenses.
For enterprises and individuals alike, the takeaway is clear: security awareness must extend to behavioral cues — not just content validation. The future of macOS defense lies in detecting automated social engineering and script‑based infection flows.
Leave a Reply