SentinelOne researchers identified Reaper, a new macOS variant of the SHub infostealer, in campaigns that impersonate Apple security updates and legitimate software such as WeChat and Miro. The malware is delivered through typo-squatted and deceptive domains that use hidden JavaScript and the applescript:// URL scheme to open Script Editor and run concealed commands, presenting victims with a fake XProtectRemediator update prompt. The operation fingerprints visitors, exfiltrates telemetry through Telegram, and appears designed to avoid infecting systems using Russian keyboard input.
Once launched, Reaper downloads additional payloads, prompts users for their macOS password, and steals browser data, password manager contents, cryptocurrency wallet information, iCloud and Telegram data, documents, and selected files. Researchers said it can also hijack wallet applications by replacing core files with malicious payloads, then establish persistence through a LaunchAgent disguised as Google Software Update while polling command-and-control infrastructure every 60 seconds. SentinelOne warned that the malware provides attackers with backdoor access beyond basic infostealing and can bypass protections introduced in macOS Tahoe 26.4.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Technical details published by researchers showed Reaper abusing the applescript:// URL scheme and fake XProtectRemediator prompts to trick users into running malicious code and entering their macOS password. The malware was also found to establish persistence via a LaunchAgent masquerading as Google Software Update, exfiltrate stolen data, and avoid infecting systems that appear to use Russian keyboard input.
SentinelOne researchers identified a new macOS variant of the SHub infostealer, dubbed Reaper. The malware impersonates Apple security updates and popular software installers, uses typo-squatted infrastructure, and includes backdoor capabilities beyond basic data theft.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourcecybersecuritynews.com
Open sourcetheregister.com
Open sourcehelpnetsecurity.com
Open sourcehackread.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.