The macOS threat landscape has experienced a marked escalation in targeting velocity, shifting away from historic isolation toward highly complex monetization campaigns. A prominent example of this evolution is the newly discovered malware strain documented by security intelligence researchers—an updated variation of the notorious SHub Stealer, designated as the “Reaper” build. Distributed actively via deceptive websites designed to mimic highly utilized corporate applications such as WeChat and Miro, this campaign represents a multi-stage approach to end-user compromise. While historical threats against macOS systems relied on complex user interaction or manual Terminal execution paths, the emergence of the Reaper variant signifies a shift toward highly optimized, high-fidelity delivery infrastructures that blend social engineering directly into built-in native execution utilities.
The Mechanics of Automated ClickFix: Weaponizing Native Apple Scripting Tools
At the core of the Reaper delivery framework lies an engineering optimization known as automated ClickFix. In a conventional ClickFix paradigm, threat actors create fake landing pages requiring users to complete arduous, multi-step interventions—such as copying heavily obscured Base64 strings or complex bash commands from a browser window and manually pasting them into the macOS Terminal. The Reaper strain dramatically optimizes this pipeline by implementing custom web code that calls local URI handlers or system automation hooks to force-open the native macOS Script Editor application. When the target clicks a seemingly harmless button on the malicious landing page, the native utility initializes with a pre-loaded, obfuscated AppleScript execution payload hidden just below the visible viewing window. By utilizing the Script Editor—a system-trusted utility bundled directly into all core releases of macOS—attackers successfully bypass traditional cognitive resistance barriers, since users perceive the application interface as fundamentally benign, requiring only a single click on the “Run” (Play) icon to initiate a catastrophic infection chain.
Exploiting Organizational Trust: Sophisticated Brand Spoofing Infrastructure
To solidify psychological trust and obscure underlying operational footprints, the malicious actors orchestrating the Reaper campaign have established an expansive infrastructure based on strategic brand spoofing across core cloud providers, including Apple, Google, and Microsoft. Payloads are hosted on carefully curated typo-squatted domains such as mlcrosoft[.]co[.]com to trick network administrators inspecting outbound traffic logs into validating the connection. Additionally, the delivery mechanics utilize naming conventions that strictly mimic official Apple security distributions, masking executable downloads as standard disk images like [support.apple.com/downloads/xprotect-remediator-150.dmg](https://support.apple.com/downloads/xprotect-remediator-150.dmg). This multi-layered spoofing strategy ensures that even if advanced users trace the initial network handshakes or disk mounts, the indicators of compromise blend seamlessly into typical day-to-day corporate asset provisioning, systematically neutralizing simple signature or look-up heuristics before the core agent can even execute on the host framework.
Deep-Dive Payload Analysis: CIS Evasion, Phishing, and Cryptocurrency Code Hijacking
Upon execution via the compiled Script Editor routine, the Reaper payload conducts localized anti-analysis checks, beginning with an interrogation of the host’s keyboard configuration via Commonwealth of Independent States (CIS) localization parameters. If the system’s input profile indicates an active Russian language setup, the malware terminates immediately—a hallmark signature of Eastern European threat groups protecting local infrastructure from geopolitical blowback. If the localization check passes, the malware launches a customized phishing sequence, spawning pseudo-system validation panels to extract the root user password, which grants the binary access to key protected operating system folders.
Structurally, Reaper merges the historic info-stealing components of SHub with file-grabbing capabilities reminiscent of Atomic Stealer (AMOS). It comprehensively scrapes local configuration caches across dominant browsers—including Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion—while actively targeting secure extensions. Most notably, instead of replacing desktop cryptocurrency software entirely, Reaper directly alters the operational code blocks of installed desktop wallet applications such as Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite, dynamically rewriting core components to compromise private keys in place.
Exfiltration Workflows and LaunchAgent Backdoor Persistence
Once the malware hooks into the targeted data structures, its integrated file-grabbing component parses the primary Desktop and Documents folders, systematically extracting highly targeted file types containing financial, personal, or corporate configurations. The automated query targets precise file extensions, specifically hunting for the following structures:
- Documents & Notes:
.docx,.doc,.txt,.rtf,.pdf - Financial & Data:
.csv,.xls,.xlsx,.json - Credentials & Crypto:
.wallet,.key,.keys - Remote Access:
.rdp
The gathered raw files are zipped, archived, and split systematically into structured chunks to prevent network timeout or detection by data loss prevention (DLP) solutions. This compressed file group is subsequently funneled out using the native macOS curl command to a designated command-and-control (C2) gate server situated at hebsbsbzjsjshduxbs[.]xyz/gate/chunk.
To guarantee ongoing access, Reaper installs an advanced backdoor that perfectly masquerades as a Google software updater. It designs a localized structure path at ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/, writing an encoded Base64 bash payload disguised as GoogleUpdate, and ensuring execution on subsequent system boots by registering a customized LaunchAgent property list file under the label com.google.keystone.agent.plist.
Our Opinion on This Case
The rise of sophisticated macOS-focused malware like the Reaper build of SHub Stealer represents a paradigm shift in the consumer and enterprise threat landscape. For years, macOS enjoyed a reputation of relative security, largely insulated from the aggressive stealer marketplace dominating Windows ecosystems. However, as business environments increasingly adopt Mac endpoints, threat actors are aggressively adapting. The automation of the ClickFix technique—relying on native tools like the Script Editor—highlights a deeper issue: the weaponization of built-in system administration utilities.
By bypassing the traditional copy-paste requirement, attackers minimize user friction and lower the cognitive barrier to infection. Furthermore, Reaper’s ability to directly inject malicious routines into the source code of local crypto wallets, rather than replacing the binaries, demonstrates an alarming level of engineering maturity. This approach effectively circumvents traditional signature-based detection mechanisms that scan for unauthorized standalone executables. In our view, relying solely on native macOS protections like Gatekeeper and XProtect is no longer sufficient. Organizations must deploy robust Endpoint Detection and Response (EDR) solutions capable of behaviorally monitoring native applications like Script Editor. Security teams must treat native automation frameworks with the same zero-trust scrutiny historically reserved for third-party executables.
