New infostealer malware lurks on Mac in disguise

Security researchers say a new macOS information stealer called SHub Reaper disguises itself as Apple security software to steal passwords, cryptocurrency wallets and sensitive files.

The malware abuses AppleScript and legitimate macOS system processes to hide its activity and avoid some traditional malware scanning tools.

SentinelOne said Reaper is a more advanced version of the SHub Stealer malware family that has been circulating in macOS-focused criminal campaigns over the past two years. Previous SHub variants relied on fake installers and “ClickFix” social engineering tricks that tricked victims into pasting malicious commands into the terminal.

Reaper develops these tactics by abusing trusted macOS tools and familiar branding to make the malware appear legitimate. Attackers are now moving this process into Script Editor via the `applescript://` URL scheme.

This change helps bypass some of the protections Apple added in macOS Tahoe 26.4 for endpoint-based attack chains. Different stages of the infection chain use different disguises to make the malware appear legitimate.

Victims can download fake WeChat or Miro installers from domains designed to resemble Microsoft infrastructure. Later steps present fake Apple security updates and hide persistence files in directories that mimic Google Software Update components.

The attack begins with malicious websites that fingerprint visitors before delivering malware payloads. Web pages collect system information, WebGL data, VPN flags, browser extensions, and signs of virtual machines or security scanning tools.

The scripts search for password managers including 1Password, Bitwarden and LastPass, as well as cryptocurrency wallet extensions such as MetaMask and Phantom. Sites also deploy anti-scan protections that interfere with browser developer tools, intercept shortcuts like F12, and trigger debugger loops that repeatedly suspend execution.

Some pages replace their content with an “Access Denied” message in Russian after detecting scanning attempts.

When a victim clicks “Run” in the script editor, the malware displays an Apple XProtectRemediator security update while executing hidden commands in the background. The attackers supplemented the malicious AppleScript with fake installation text and ASCII illustrations to push dangerous commands below the visible window.

Malicious behavior lies behind what appears to be a routine Apple security process. Subsequent steps ask users for their macOS password and capture these credentials during execution. Victims then see a fake compatibility error designed to reduce suspicion after the theft.

Legitimate macOS system processes play a central role in the attack chain, instead of obvious malicious applications. Attackers prefer running AppleScript and shell scripts because they blend in with normal system activity and bypass traditional file scanning protections like Apple’s XProtect framework.

Reaper goes beyond credential theft and becomes a persistent macOS compromise

Theft of credentials and cryptocurrency wallets remains a central part of malware behavior. Targets include Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc and Orion, as well as wallet apps such as Exodus, Atomic Wallet, Ledger Live, Electrum and Trezor Suite.

Additional theft targets include macOS keychain data, Telegram session information, browser extensions, and developer-related files.

The most recent version adds an AMOS-style document stealing routine. The Desktop and Documents folders are searched for business and financial files, including Word documents, spreadsheets, JSON files, portfolio files, and remote desktop setups.

Files exceeding specific size thresholds are ignored, including PNG images larger than 6MB. Total collection is limited to 150MB before the malware compresses and uploads the stolen data in chunks to its command and control infrastructure.

After collecting the data, the malware attempts to directly compromise cryptocurrency wallet applications. Active wallet processes are terminated before internal application resources are replaced by attacker-controlled “app.asar” files.

Quarantine attributes are then removed and ad hoc code signing allows modified applications to continue running on macOS systems.

Persistence is one of the biggest changes in the Reaper version. The malware installs a LaunchAgent disguised as Google software infrastructure in the user’s Library folder.

Attackers create a fake “GoogleUpdate.app” structure and save a `com.google.keystone.agent.plist` LaunchAgent which runs every 60 seconds. The fake LaunchAgent looks a lot like Google’s legitimate Keystone update service, making the persistence mechanism harder to notice during casual inspection.

The remote servers then provide additional commands, execute the returned payloads with the current user’s privileges, and then delete the temporary files.

Persistence pushes malware beyond simple credential theft. Old macOS information stealers often collected data and disappeared, but Reaper maintains a presence capable of supporting future payloads or remote access.

Native tools, fake update prompts, and trustmarks from Apple, Microsoft, and Google now play a larger role in macOS malware campaigns. Reaper alternates between these marks to make malicious activity appear routine to many users.

How Mac Users Can Stay Safe

Users can reduce their exposure to this campaign by avoiding scripts or installers from untrustworthy websites, especially pages claiming that a manual security update is required. Apple generally does not require users to open the Script Editor and click “Run” to install updates.

SentinelOne said the campaign used typo-squatted domains designed to resemble Microsoft infrastructure. Checking URLs carefully before downloading software can help users avoid spoofed installation sites.

Mac users should download software from official developer sites or the Mac App Store rather than installation pages shared via ads, social media posts, or spam messages. Unexpected password requests during installation, especially alongside vague error messages or claims that an update failed, should raise suspicion.

Advanced users and administrators can monitor unusual AppleScript or “osascript” activity, unexpected LaunchAgents, and Script Editor-related network traffic. SentinelOne also recommended monitoring for suspicious AppleScript executions and fake trusted provider directories and LaunchAgents used for persistence purposes.