Key Point: SHub Reaper bypasses Apple’s terminal protections through AppleScript execution, steals browser data and cryptocurrency wallet access, and spreads via fake WeChat, Miro, and QQ installers.
A new variant of the macOS infostealer SHub, called Reaper, impersonates Apple security updates and installs a backdoor via AppleScript. It circumvents Apple’s March 2026 update macOS Tahoe 26.4, which blocks terminal-based attack methods.
The Reaper variant, identified by SentinelOne researchers, uses the applescript:// URL scheme to launch the macOS Script Editor with malicious AppleScript pre-loaded. This method bypasses the protections of macOS Tahoe 26.4, which in March 2026 blocked the insertion and execution of potentially harmful commands in Terminal. Previous SHub campaigns relied on ClickFix tactics, where users manually entered commands into Terminal.
The malware is distributed via fake installers for WeChat, Miro, and QQ, hosted on domains such as qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, and mlroweb[.]com. Before execution, the malware collects device information to detect virtual machines, VPNs, and installed browser extensions. This telemetry is transmitted to the attacker via a Telegram bot. If users employ a Russian keyboard layout, the infection is aborted and a ‘cis_blocked’ event is reported.
After executing the AppleScript, Reaper displays a fake Apple security notification, downloads a shell script, and executes it via zsh. The infostealer module then requests the macOS password to access Keychain data and steals browser data from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion. The malware’s scope also includes cryptocurrency wallet extensions (MetaMask, Phantom), password managers (1Password, Bitwarden, LastPass), desktop wallets (Exodus, Atomic Wallet, Ledger Live, Electrum, Trezor Suite), iCloud data, and Telegram sessions.
The “Filegrabber” module searches Desktop and Documents for sensitive file types and collects files up to 2 MB in size (6 MB for PNG images), with a maximum total of 150 MB. If wallet applications are present, Reaper terminates their processes and replaces the legitimate application files with modified versions (app.asar). To avoid Gatekeeper warnings, quarantine attributes are removed using xattr -cr and self-signed code-signing certificates are employed.
Source: ainews-dev.lumi-systems.io · Published 19 May 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.