A newly discovered macOS infostealer, dubbed SHub Reaper, is actively targeting enterprise users by masquerading as legitimate Apple security software to exfiltrate credentials, cryptocurrency wallets, and sensitive business documents. Identified by SentinelOne, this advanced variant of the SHub Stealer family represents a significant escalation in macOS-targeted malware, leveraging trusted system processes to evade detection and establish persistent access.
Abusing Trusted macOS Tools for Stealth
SHub Reaper distinguishes itself from earlier infostealers by abusing AppleScript and the `applescript://` URL scheme to bypass protections Apple introduced in macOS Tahoe 26.4. Victims are directed to malicious websites that fingerprint their systems for security tools, VPN indicators, and virtual machine environments before delivering the payload.
The attack chain begins when a user clicks “Run” in Script Editor, triggering a fake Apple XProtectRemediator security update prompt while hidden commands execute in the background. Attackers pad the malicious AppleScript with installer text and ASCII art to obscure dangerous commands below the visible window, a technique that bypasses traditional file-scanning protections like Apple’s XProtect framework.
Data Exfiltration and Persistent Compromise
Beyond credential theft, Reaper expands its reach with an AMOS-style document theft routine targeting desktop and Documents folders for financial and business files. The malware collects Word documents, spreadsheets, JSON files, and remote desktop configurations, capping exfiltration at 150 MB before compressing and uploading stolen data in chunks to its command-and-control infrastructure.
Persistence marks the most critical evolution in this build. The malware installs a LaunchAgent disguised as Google’s legitimate Keystone update service, executing every 60 seconds. This foothold transforms Reaper from a simple data grabber into a persistent access tool capable of receiving remote commands and delivering additional payloads, a stark departure from earlier macOS infostealers that typically disappeared after data collection.
Implications for Enterprise Security Teams
For enterprise security teams, SHub Reaper underscores the growing sophistication of macOS malware that exploits native tools and trusted branding. The campaign rotates between Apple, Microsoft, and Google identities to make malicious activity appear routine, a tactic that demands heightened scrutiny of script execution and system processes.
Administrators should monitor for unusual AppleScript or `osascript` activity, unexpected LaunchAgents, and network traffic originating from Script Editor. The use of typo-squatted domains mimicking Microsoft infrastructure further reinforces the need for strict software sourcing policies, limiting installations to official developer sites or the Mac App Store. As macOS becomes an increasingly viable target for persistent threats, the industry must adapt detection strategies to account for malware that does not rely on traditional binaries.
— Originally reported by AppleInsider. Adapted and republished with editorial context for MacThreat.
