A dangerous new variant of macOS infostealer malware, known as SHub Reaper malware, is targeting Apple users with increasingly stealthy and automated attack techniques.
Security researchers at Moonlock have identified the campaign, which uses deceptive websites and advanced social engineering to infect macOS systems and silently exfiltrate sensitive data. The malware specifically targets browser credentials and cryptocurrency wallets, posing a serious risk to both individual users and high-value crypto holders.
Unlike earlier macOS threats, SHub Reaper eliminates manual steps, making infection faster, easier, and far more deceptive.
Key Details
SHub Reaper represents the latest evolution of the SHub Stealer family, incorporating automation and improved evasion techniques.
Key elements of the campaign include:
- Fake software websites impersonating trusted brands
- Delivery of malware disguised as Apple or Google updates
- Use of typo-squatted domains such as:
mlcrosoft[.]co[.]com
The malware’s initial access technique relies on a growing method known as ClickFix, which has appeared repeatedly across macOS threats in recent months.
Moonlock researchers note that this is now the third widespread use of automated ClickFix in under two months, indicating rapid adoption among threat actors.
Technical Analysis
Automated ClickFix Execution
Unlike traditional social engineering attacks that rely on user action in Terminal, SHub Reaper:
- Opens macOS Script Editor automatically via a malicious webpage
- Preloads it with hidden malicious code
- Requires only a single click from the user to execute
This tactic reduces friction and dramatically increases infection success rates.
Multi-Stage Infection Chain
Once executed, the malware performs several operations:
- Credential Theft
- Targets browsers including:
- Chrome
- Firefox
- Brave
- Edge
- Opera
- Vivaldi, Arc, Orion
- Targets browsers including:
- Wallet Compromise
Instead of installing fake wallet apps, Reaper:- Modifies legitimate wallet software directly
- Targets:
- Exodus
- Atomic
- Ledger Live
- Electrum
- Trezor Suite
- File Harvesting
Uses an AMOS-style Filegrabber to collect sensitive files from:- Desktop
- Documents
.docx,.csv,.xls.wallet,.key,.json
- Data Exfiltration
Stolen data is sent via:curlcommand to attacker server:hebsbsbzjsjshduxbs[.]xyz/gate/chunk
- Persistence Mechanism
The malware installs a hidden backdoor:- Directory:
~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ - Service:
com.google.keystone.agent.plist
- Directory:
MITRE ATT&CK Mapping
The attack aligns with:
- T1059 – Command and Scripting Interpreter
- T1555 – Credentials from Password Stores
- T1567 – Exfiltration Over Web Services
- T1547 – Boot or Logon Autostart Execution
- T1036 – Masquerading
Impact and Risks
Mac Users Under Growing Threat
Historically perceived as less targeted, macOS is increasingly under attack due to:
- Growing user base
- High-value targets such as developers and crypto holders
Financial Risk via Crypto Theft
Reaper’s ability to modify legitimate wallet software creates a severe risk:
- Direct fund theft
- No obvious signs of tampering
- Persistent unauthorized transactions
Data Privacy and Identity Theft
With access to browser credentials and local files, attackers can:
- Hijack accounts
- Access corporate systems
- Launch follow-on attacks
Persistent Backdoor Access
The disguised Google update service allows attackers to:
- Maintain long-term access
- Deploy additional payloads
- Monitor user activity silently
Expert Recommendations
1. Avoid Suspicious Software Downloads
- Only download software from official vendor websites
- Verify domain authenticity before clicking
2. Watch for Abnormal System Behavior
- Unexpected launches of:
- Script Editor
- Terminal
These are strong signs of compromise attempts.
3. Never Execute Unknown Scripts
- Do not click “Play” in Script Editor from unknown sources
- Close suspicious pop-ups immediately
4. Secure Cryptocurrency Assets
- Store funds in:
- Cold wallets
- Dedicated offline devices
5. Monitor System Directories
- Check for unusual files in:
~/Library/Application Support/Google/
6. Keep macOS Updated
- Install security updates promptly
- Use endpoint protection solutions with behavior detection
Industry Context
The SHub Reaper campaign highlights a significant shift in macOS malware trends:
- Increasing use of automation in social engineering
- Growing focus on financially motivated attacks (crypto theft)
- Adoption of cross-campaign tactics such as ClickFix
It also reflects a broader industry trend where attackers:
- Mimic trusted brands
- Abuse familiar user workflows
- Target client-side applications rather than OS vulnerabilities
As macOS adoption continues to rise, attackers are investing more in scalable, stealthy infections.
Conclusion
The emergence of SHub Reaper malware demonstrates how macOS threats are evolving rapidly—combining social engineering, persistence, and financial targeting into a single attack chain.
By automating infection and focusing on high-value assets like crypto wallets, attackers are raising the stakes for Apple users.
In this environment, user awareness, software verification, and endpoint visibility are critical defenses against increasingly deceptive malware campaigns.
FAQ SECTION
1. What is SHub Reaper malware?
It is a new variant of SHub Stealer targeting macOS users, designed to steal browser data and cryptocurrency wallets.
2. How does SHub Reaper infect Macs?
It uses fake websites to launch Script Editor with malicious code, requiring only a single click to execute.
3. What data does the malware steal?
It steals browser credentials, crypto wallet data, local files, and user session information.
4. Which crypto wallets are targeted?
Wallets such as Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite are affected.
5. How can users protect themselves?
Avoid suspicious downloads, verify software sources, use cold wallets, and monitor system processes for unusual activity.
