A variant of Shub macOS infostealer spoofs Apple security updates

A new variant of ‘SHUb’ macOS infostealer uses AppleScript to display a fake security update message and install a backdoor.

Dubbed Reaper, the new version steals sensitive browser data, collects documents and files that may contain financial information, and hijacks crypto wallet applications.

Unlike previous SHUb campaigns that relied on “ClickFix” tactics, tricking users into pasting and executing commands in Terminal, Reaper relies on the applescript:// URL scheme to launch the macOS Script Editor preloaded with malicious AppleScript.

This method bypasses Terminal-based mitigations that Apple introduced in late March with macOS Tahoe 26.4, which prevented pasting and executing potentially dangerous commands.

SentinelOne researchers identified a new variant of the SHUb infostealer and found that users were lured with a fake installer of WeChat and Miro apps hosted on domains made to appear legitimate to unsuspecting users (eg, qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com).

Currently, the fake domains of QQ and Microsoft are still running fake WeChat installers, while the one impersonating the Miro virtual collaboration platform redirects to the official website.

BleepingComputer noticed that the download buttons for Windows and Android work the same way they are hosted on a Dropbox account.

Before installing AppleScript, malicious websites fingerprint the visitor’s device to check virtual machines and VPNs, which may display an analysis machine and count installed browser extensions for password managers and cryptocurrency wallets. All telemetry data is delivered to the attacker via the Telegram bot.

A SentinelOne report today notes that the script containing the payload is dynamically generated and hidden under ASCII art.

When the victim clicks ‘Run,’ the script displays a fake Apple security update message referring to XProtectRemediator, downloads a shell script using ‘curl,’ and executes it silently with ‘zsh.’

Before using its data theft logic, the malware performs a system check to determine if the victim is using a Russian keyboard/input, and if there is a match, it reports a ‘cis_blocked’ event to the command-and-control server (C2) and exits without infecting the system.

If the host is not Russian, Reaper detects and executes malicious AppleScript in a data-stealing routine using the osascript command-line tool built into macOS.

When launched, it prompts the user to retrieve their macOS password, which can be used to access Keychain objects, remove encryption, and access protected data. Next, the infostealer targets the following:

• Browser data from Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion
• Cryptocurrency wallet browser extensions, including MetaMask and Phantom
• Password manager browser extensions, including 1Password, Bitwarden, and LastPass
• Desktop cryptocurrency apps, including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite
• iCloud account data
• Telegram session data
• Developer-related configuration files

Reaper also includes a “Filegrabber” module that searches the Desktop and Documents folders for file types that may contain sensitive information. It collects target files smaller than 2MB, or up to 6MB in the case of PNG image files, with a total volume limit set to 150MB.

If wallet apps exist, they hijack them by terminating their processes and preparing a malicious core file called app.asar downloaded from the command and control server (C2).

To avoid any Gatekeeper warnings, the SHUb Reaper malware “clears the quarantine features with xattr -cr and usage exclusive code signing in the modified application stack,” the researchers explained.

SentinelOne warns that the malware establishes persistence by inserting a script that pretends to be a Google software update and registers it using LaunchAgent. The script is executed every minute and acts as a beacon that sends system information to C2.

If the script detects a payload, it can extract the code and execute it in the context of the current user, then delete the file, thus giving the attacker extended access to the machine.

SentinelOne highlights that the SHUb operator expands the infostealer’s capabilities to include remote access to compromised devices, which could allow for the installation of additional malware.

Researchers have provided a set of vulnerability indicators that can help defenders protect against malicious behavior associated with the new SHUb Reaper infostealer variant.

SentinelOne recommends monitoring for suspicious outgoing traffic after using the Script Editor, or new LaunchAgents and related files in trusted vendors’ namespaces.