A new variant of the SHub macOS infostealer is using AppleScript and fake security prompts to infect users’ systems and install a persistent backdoor, according to researchers at SentinelOne.
The updated malware, dubbed “Reaper,” targets macOS users via fake installers for popular applications including WeChat and Miro. Unlike previous SHub campaigns that leveraged ClickFix social engineering tactics involving Terminal commands, Reaper abuses the applescript:// URL scheme to automatically open the macOS Script Editor with a preloaded malicious script.
Researchers say this technique bypasses security protections introduced by Apple in macOS Tahoe 26.4, designed to block users from pasting and executing dangerous commands in Terminal.
Before delivering the malware, the malicious websites profile visitors’ systems, checking for virtual machines, VPNs, browser extensions, cryptocurrency wallets, and password managers. The collected data is then sent to attackers through a Telegram bot.
The AppleScript displays a fake Apple security update message referencing XProtectRemediator, then silently downloads and launches additional malware components using curl and zsh. The malware also checks whether the infected system uses a Russian keyboard layout and exits if it detects one.
Reaper is capable of stealing browser credentials, collecting sensitive files from Desktop and Documents folders, and hijacking cryptocurrency wallet applications by replacing legitimate application files with malicious versions downloaded from a command-and-control server.
The malware also establishes persistence by disguising itself as a Google software update process and installing a LaunchAgent that contacts attackers every minute for new instructions. This gives threat actors ongoing remote access to infected machines, allowing them to execute additional payloads and maintain long-term control over compromised systems.