SHub Reaper Targets macOS With Fake Apple Security Updates

A new macOS infostealer called SHub Reaper is spreading through fake software updates impersonating Apple, Microsoft, and Google. The malware steals passwords, cryptocurrency wallets, browser data, and iCloud credentials while evading recent macOS security improvements. Security researchers at Help Net Security documented the campaign targeting users across multiple attack vectors.

SHub Reaper represents the latest evolution of the SHub Stealer family, which has circulated through macOS-focused criminal campaigns for two years. This variant adds sophisticated evasion techniques and expands data collection to include developer credentials and Telegram session data—high-value targets for supply chain attacks and account takeovers.

Bypassing macOS Protections

Apple's Tahoe 26.4 update introduced mitigations against a common malware delivery technique: using ClickFix-style prompts that trick users into copying and pasting malicious Terminal commands. Many infostealers relied on this social engineering approach.

SHub Reaper sidesteps those mitigations entirely. Instead of Terminal trickery, it abuses the applescript:// URL scheme to launch macOS Script Editor with a malicious payload pre-loaded. BleepingComputer's analysis explains that this technique bypasses the new protections because Script Editor is a legitimate Apple application—macOS doesn't block AppleScript execution when initiated through the URL scheme.

The attack flow looks legitimate to users. They receive what appears to be a security update prompt from Apple, complete with convincing branding and urgent language about "critical security updates." Clicking the prompt launches Script Editor briefly before the malicious payload executes.

What SHub Reaper Steals

The malware targets an expansive list of data sources:

Browser Data

• Saved passwords and autofill credentials
• Session cookies for authenticated services
• Browser history and bookmarks
• Payment card information stored in browsers

Cryptocurrency

• Wallet files from popular desktop wallets
• Browser extension data for MetaMask and similar web3 wallets
• Seed phrase backups stored in Documents folders

Apple Ecosystem

• macOS Keychain data (requires user password prompt)
• iCloud account credentials
• Apple ID authentication tokens

Developer Targets

• SSH keys and configuration files
• Git credentials and repository tokens
• AWS, GCP, and Azure credential files
• Environment files containing API keys

Messaging

• Telegram session data enabling account cloning
• Signal Desktop database files
• Slack workspace tokens

The Filegrabber module searches Desktop and Documents folders for files likely containing sensitive information—text files with keywords like "password," "seed phrase," or "recovery." Collection is capped at 150MB total to avoid detection through unusual network activity.

Persistence Mechanism

SHub Reaper doesn't just steal data and leave. It establishes persistence through a clever disguise. The malware creates a fake Google Chrome update service in the user's Library folder:

• Creates a GoogleUpdate.app application bundle
• Registers com.google.keystone.agent.plist as a LaunchAgent
• Executes every 60 seconds to maintain backdoor access

The Google branding is deliberate. macOS users expect Google software to have persistent update services—Chrome's actual updater uses similar naming conventions. Casual inspection of LaunchAgents won't flag this as suspicious to most users.

This persistence mechanism also enables follow-on attacks. Once the backdoor is established, operators can push additional payloads, update exfiltration targets, or deploy ransomware when they've finished data collection.

Connection to Broader Threats

Mac users often believe they're inherently safer than Windows users. That assumption grows more dangerous each year. We've covered increasing macOS targeting as threat actors recognize the value of Apple-ecosystem credentials.

SHub Reaper specifically targets the intersection of high-value user segments: cryptocurrency holders, software developers, and users with Apple ecosystem investments. These demographics tend toward macOS, and their credentials command premium prices on criminal marketplaces.

The developer targeting is particularly concerning for supply chain security. SSH keys and repository access tokens enable attackers to push malicious code to legitimate projects. A single compromised developer machine can become the starting point for attacks affecting thousands of downstream users.

Indicators of Compromise

The Register's coverage includes specific IOCs to monitor:

Persistence Locations

• ~/Library/LaunchAgents/com.google.keystone.agent.plist
• ~/Library/Application Support/Google/GoogleUpdate.app

Behavioral Indicators

• AppleScript URL scheme invocations from unknown sources
• Script Editor launching without user action
• Unusual outbound connections following fake update prompts

Protection Recommendations

1. Verify software update sources — Apple system updates come through System Preferences/Settings, not web prompts or email links
2. Audit LaunchAgents regularly — Check ~/Library/LaunchAgents for unexpected entries; legitimate Google software doesn't typically create user-level LaunchAgents
3. Enable Gatekeeper — Keep macOS security features enabled; don't disable them to install questionable software
4. Use a password manager — Credentials stored in browser autofill are easy targets; dedicated password managers provide better protection
5. Review installed profiles — Check System Preferences > Profiles for unexpected management profiles that could indicate compromise

For users handling cryptocurrency, hardware wallets provide better protection than software wallets stored on potentially compromised systems. Seed phrases should never exist in digital form on internet-connected devices.

Organizations with macOS fleets should review our malware defense fundamentals and consider endpoint detection solutions specifically designed for Apple platforms. The days of "Macs don't get viruses" ended years ago.