A sophisticated new variant of the SHub Stealer malware, dubbed Reaper, is actively targeting macOS users through automated social engineering, credential theft, and cryptocurrency wallet manipulation across multiple major browsers and desktop wallet applications.
Automated Infection via ClickFix Technique
Reaper represents a significant evolution in macOS malware delivery, moving beyond traditional copy-paste Terminal scams. The attack vector relies on a fully automated ClickFix technique, where a malicious webpage silently opens the Mac’s Script Editor preloaded with harmful code.
The user only needs to click a single button to trigger the infection chain, eliminating the friction that previously required manual script execution. Researchers at Moonlock identified this as the third instance of automated ClickFix deployment across separate macOS malware campaigns in under two months.
Attackers host their payloads on typo-squatted domains mimicking trusted brands, such as mlcrosoft[.]co[.]com, and disguise downloads as Apple security updates. They also exploit fake Google Software Update pathways to establish persistent backdoors that survive system reboots.
Comprehensive Browser and Cryptocurrency Wallet Targeting
Reaper expands its data theft capabilities far beyond earlier SHub Stealer builds. The malware now targets Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion browsers, along with their extensions, macOS Keychains, iCloud account data, and Telegram sessions.
The most technically distinctive feature is how Reaper handles cryptocurrency theft. Instead of deploying fake wallet applications, it directly modifies the code of legitimate desktop wallet software already installed on the victim’s machine.
Targeted wallets include Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite. The malware also deploys an AMOS-style Filegrabber that searches Desktop and Documents folders for valuable file types including .docx, .wallet, .key, .csv, .xls, and .json formats. All stolen data is exfiltrated via the legitimate macOS curl command to attacker-controlled servers.
Persistence and Defense Recommendations
Before exiting its main execution, Reaper installs a disguised backdoor that registers itself as a Google Update service using a LaunchAgent property list. This allows the malware to survive reboots while remaining hidden within the user’s system.
Defense requires recognizing the social engineering patterns Reaper exploits. If a webpage unexpectedly opens Script Editor or Terminal and prompts a click to proceed, users should close the window immediately. Legitimate software never operates this way.
Users should never enter their macOS system password into a pop-up that appears immediately after installing software. For cryptocurrency holders, migrating funds to offline cold wallets or dedicated devices offers the strongest protection against wallet-modifying stealers.
This campaign signals that macOS threat actors are rapidly adopting and refining automated social engineering techniques that previously required manual user interaction. As these methods become commoditized within the cybercriminal ecosystem, enterprise security teams should anticipate a broader wave of macOS-targeted stealers leveraging similar automation patterns.
— Originally reported by Cyber Security News. Adapted and republished with editorial context for MacThreat.
