SHub Reaper Stealer Hijacks macOS via AppleScript URL Scheme

A sophisticated macOS infostealer dubbed SHub Reaper has emerged with a novel attack chain that bypasses the Terminal-based mitigations Apple introduced in late March with macOS Tahoe 26.4. SentinelOne researchers disclosed the campaign on May 18, revealing that the malware spoofs Apple, Google, and Microsoft services in a single infection chain while establishing persistent backdoor access.

The attack begins with fake WeChat or Miro installer websites hosted on typosquatted domains like mlcrosoft[.]co[.]com. Unlike earlier SHub campaigns that relied on ClickFix tactics—which Apple's Tahoe 26.4 update blocked by preventing Terminal from executing pasted commands—Reaper uses the applescript:// URL scheme to launch Script Editor with pre-populated malicious code. This approach sidesteps the new defenses entirely.

How the Attack Chain Works

When a victim visits a lure page, the site collects fingerprinting data including IP address, WebGL information, and VM/VPN detection. It also checks for browser extensions like 1Password, MetaMask, and Phantom wallet. If the target passes these checks and isn't running Russian input sources (CIS regions are explicitly excluded), the page triggers Script Editor via the applescript:// handler.

The embedded AppleScript is padded with ASCII art and fake terms to hide malicious commands below the visible window area. While executing, it displays a fake "Apple XProtectRemediator update" message. Behind the scenes, encoded commands harvest credentials from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion browsers. Desktop crypto wallets including Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite are also targeted.

Filegrabber and Exfiltration

Reaper includes a document filegrabber module inspired by Atomic macOS Stealer (AMOS) that we covered earlier this year. It searches Desktop and Documents folders for sensitive files—.docx, .wallet, .key, .keys, .txt, .rtf, .csv, .xls, .xlsx, .json, .rdp, and PNG images—capped at 150MB total collection.

Collected files stage in /tmp/shub_<random>/. When exceeding 85MB, a Bash script at /tmp/shub_split.sh divides the archive into 70MB ZIP chunks uploaded sequentially to hebsbsbzjsjshduxbs[.]xyz/gate/chunk. This chunked exfiltration helps evade network monitoring that might flag large single transfers.

Persistence Through Fake Google Update

The malware establishes persistence by masquerading as Google Software Update. It creates a directory structure at ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ and places a Base64-decoded Bash script named GoogleUpdate in this location. A LaunchAgent plist (com.google.keystone.agent.plist) executes the backdoor every 60 seconds.

The backdoor beacon sends system details to hebsbsbzjsjshduxbs[.]xyz/api/bot/heartbeat. If the C2 returns a "code" payload, the malware decodes it, writes to hidden /tmp/.c.sh, executes with current user privileges, then deletes the file. This enables persistent remote command execution on compromised systems.

Crypto Wallet Hijacking

Beyond stealing credentials, Reaper actively compromises cryptocurrency wallet applications. The malware downloads modified app.asar files from its C2, terminates legitimate wallet processes, and replaces core application files. It clears quarantine attributes with xattr -cr and applies ad-hoc code signing to bypass Gatekeeper—a technique that mirrors recent macOS malware campaigns targeting crypto users.

Indicators of Compromise

Security teams should monitor for these artifacts:

Network Indicators:

• Primary C2: hebsbsbzjsjshduxbs[.]xyz
• Endpoints: /api/debug/event, /api/bot/heartbeat, /gate
• Lure domains: qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com

File System Paths:

• Backdoor: ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate
• Persistence: ~/Library/LaunchAgents/com.google.keystone.agent.plist
• Staging: /tmp/shub_log.zip, /tmp/shub_split.sh, /tmp/shub_mzip_*.zip

Build Identifiers:

• Build ID: 6552824c59ddacb134073f24a4bd4724514a938a9dc59f1733503642faed3bd3
• Build Name: Reaper
• Hardcoded Hash: c917fcf8314228862571f80c9e4a871e

Why This Matters

SHub Reaper represents an evolution in macOS malware that directly responds to Apple's security improvements. By pivoting from Terminal-based ClickFix attacks to AppleScript URL scheme abuse, the threat actors demonstrate they're actively tracking and circumventing platform defenses.

The malware's regional exclusions—halting execution on systems with Russian input sources—suggest Eastern European operators, consistent with the Russian "Access Denied" messages (Доступ запрещен) displayed when analysis tools are detected.

Organizations with macOS fleets should monitor for unexpected AppleScript/osascript activity, suspicious outbound traffic following Script Editor execution, and unauthorized LaunchAgent creation in vendor namespaces. SentinelOne notes that behavioral analysis catches Reaper regardless of obfuscation techniques, since the infection chain produces distinctive patterns even when payloads change.