← BACK TO FEED
macOSinfostealermalwarecryptocurrencyClickFix

Reaper Malware Hits macOS: Steals Passwords, Drains Crypto Wallets, Then Quietly Moves In

A new macOS malware variant called Reaper, an updated version of the SHub stealer, targets users by spoofing trusted domains like Apple, Microsoft, and Google to steal passwords, cryptocurrency wallet credentials, and sensitive files. Unlike earlier versions, it bypasses Apple's Terminal entirely by using macOS Script Editor to execute its malicious payload, circumventing defences added in macOS Tahoe 26.4. The malware also establishes persistent backdoor access by disguising itself as a Google Software Update process, allowing attackers to remotely execute code on compromised machines every 60 seconds.

A new macOS infostealer has surfaced, and it is considerably nastier than the campaigns that came before it. Dubbed Reaper, it is an evolved variant of the SHub stealer family and combines credential theft, cryptocurrency wallet compromise, and persistent backdoor installation into a single attack chain. SentinelOne researcher Phil Stokes documented the malware this week.

The initial lure is a fake WeChat or Miro installer page, hosted on a domain that typosquats a Microsoft URL: mlcrosoft[.]co[.]com. Whoever built this put genuine effort into the deception, throwing in Apple and Google impersonation for good measure.

Before anything gets downloaded, hidden JavaScript runs a quiet profiling sweep of the visitor's system. It grabs IP address, location, browser fingerprints, WebGL data, and checks for signs of virtual machines or VPNs. If the target is located in Russia, the attack simply stops. Everyone else proceeds to the next stage.

Clicking the fake installer opens Apple's Script Editor. The malicious AppleScript command is buried beneath a wall of ASCII padding and fake legalese, pushing it well out of view when the file first loads. Click Run, and the payload executes. A convincing popup appears claiming to be an XProtectRemediator security update. It is nothing of the sort. Behind the fake UI, a curl command silently fetches a shell script while the victim is prompted to enter their login credentials, which are immediately harvested and used to decrypt stored passwords.

What makes Reaper stand out from earlier SHub variants is how much ground it covers. It rummages through browser data, macOS Keychain, iCloud account information, Telegram session files, and developer configuration files. It also includes a document grabber that trawls Desktop and Documents folders for anything that looks financially or commercially valuable, a trick borrowed from the Atomic macOS Stealer playbook.

Cryptocurrency users get special attention. Reaper scans for Exodus, Atomic Wallet, Ledger Live, Ledger Wallet, and Trezor Suite. When it finds them, it injects the wallet software directly with malware to enable ongoing theft, not just a one-time grab.

The backdoor mechanism is where things get properly sinister. Reaper installs a LaunchAgent that impersonates Google Software Update, nesting itself inside ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/. The agent fires a beacon script every 60 seconds, pinging the attacker's command-and-control server. If the server responds with a code payload, the script decodes it, writes it to a hidden file, runs it under the victim's own privileges, then cleans up after itself.

The practical upshot is that the attackers retain remote code execution on any machine Reaper successfully compromises, leaving them free to deploy further malware, pivot to other targets on the same network, or continue draining accounts at leisure.

One notable aspect is what Reaper bypasses. Earlier SHub variants and similar macOS stealers relied on ClickFix-style social engineering, tricking users into pasting commands into Terminal. Reaper routes around Terminal entirely, which sidesteps defences Apple introduced in macOS Tahoe 26.4. That is not a small detail.

If you are running macOS and you installed anything from a site you found via a sketchy link recently, now would be a good time to check your LaunchAgents.