A newly identified macOS infostealer combines capabilities of both stealer and backdoor malware while using a multistage social engineering campaign that impersonates Apple, Google, and Microsoft simultaneously. The stealer, SHub Reaper, is a variant of the broader Shub malware, and demonstrates a new paradigm in macOS malware behavior.
SHub Reaper uses fake WeChat and Miro installers as social engineering lures to get users to download it, according to SentinelOne, which revealed details about the variant in a report Monday. Indeed, hiding behind fake application downloads is a popular way that attackers hide infostealing malware.
“The malware infection starts with malicious Web pages offering Miro and WeChat installers, and they aggressively look for browsers with extensions relating to crypto wallets and popular password managers,” Phil Stokes, macOS and AI research engineer at SentinelOne, tells Dark Reading via email.
However, what makes SHub Reaper’s impersonation unique is how the infection chain shifts its disguise at each stage of the attack, he says. The payload may be hosted on a typosquatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory, a “multibrand spoofing across a single chain” that “is unusual,” Stokes tells Dark Reading.
SHub Reaper: A Two-for-One Malware
SHub Reaper also flips traditional stealer behavior on its head by combining typical stealer features such as credential theft, wallet hijacking, and document exfiltration, with persistent backdoor access — aspects that usually are not found in stealer malware, Stokes noted.
The malware does this by installing a fake Google Update framework under the user Library paths, and then registers a LaunchAgent using Google Keystone-style naming conventions. The beacon checks in every 60 seconds and supports arbitrary command execution, effectively turning an infostealer infection into a lightweight macOS backdoor, he observed.
“The backdoor adds yet another vector for theft and compromise,” Stokes tells Dark Reading. “Earlier families of infostealers were notably smash-and-grab, and didn’t even bother with persistence.” SHub Reaper, on the other hand, “is a multifunctional malware that blends tradecraft from a number of recent families,” he explains.
A Paradigm-Changing Cyber Execution Chain
The malware also represents a behavior shift in how macOS stealers typically execute on a victim’s machine, according to SentinelOne. Instead of relying on standard “ClickFix” social engineering, in which victims are tricked into pasting a command into Terminal, “the variant uses a delivery mechanism that bypasses Terminal entirely and sidesteps Apple’s Tahoe 26.4 mitigation for those attack flows,” Stokes wrote.
He’s referring to Apple’s recently introduced protections in its Tahoe 26.4 OS, aimed at reducing Terminal-driven social-engineering attacks such as ClickFix. However, SHub Reaper sidesteps those mitigations by moving execution into trusted Apple-native scripting workflows, using the applescript:// URL scheme to open macOS Script Editor with a malicious AppleScript already loaded.
This shift away from standard social engineering tactics that require victims to manually paste commands into the Terminal marks “a noteworthy evolution in macOS infostealers,” Jason Soroko, senior fellow at certificate life cycle management firm Sectigo, tells Dark Reading via email. “Attackers are instead exploiting the applescript:// URL scheme to automatically load the macOS Script Editor with malicious payloads, effectively circumventing” these new macOS mitigations, he says.
The reason for this shift is that attackers can now “confine execution to running system processes or user-initiated processes like Script Editor or the Terminal,” Stokes explained in the post. “This allows the attacker to execute without introducing foreign binaries to the file system, and makes it easier to bypass file scanning detection tools like Apple’s own XProtect and similar third-party tools.”
New Cyberattack Behaviors Call for New Defense
Infostealers are one of the quickest ways that attackers can compromise enterprise credentials, which can then be used to conduct further malicious activity. In fact, research from WhiteIntel revealed in March that it takes attackers only 48 hours to move stolen credentials from an infected laptop to an underground marketplace, which may be why their use by attackers is steadily rising, according to 2025 M-Trends report by Google’s Mandiant.
For macOS users, identifying the social engineering tactics SHub Reaper uses is the easiest way to prevent infection, according to SentinelOne. In particular, users should take note of the way the infection chain layers familiar brands and trusted software cues across multiple stages, Stokes noted in the report.
For enterprise defenders, SHub Reaper’s move from ClickFix to using Applescript and other living off the land (LotL) techniques for execution creates a new detection surface, rendering typical terminal-centric detections for these infections basically ineffective.
Instead, SentinelOne recommends that security teams monitor for the following in their environments to detect SHub Reaper infections: unexpected invocation of Script Editor (Script Editor.app); osascript spawning curl or shell interpreters; browser-to-AppleScript execution chains; and user-driven AppleScript execution originating from unusual URL handlers.

Comments are closed