The 'Reaper' variant of the **SHub** macOS infostealer is targeting sensitive browser data, financial documents, and cryptocurrency wallets using a fake security update message. **Evasion Tactics** Unlike previous **SHub** campaigns that relied on "ClickFix" tactics, this new variant leverages the `applescript://` URL scheme to launch the macOS Script Editor with a malicious **AppleScript**. This allows it to bypass the Terminal-based mitigations that **Apple** introduced in macOS Tahoe 26.4, which aimed to block the pasting and execution of potentially harmful commands. **Distribution Method** Researchers at **SentinelOne** discovered that victims are lured with fake installers for **WeChat** and **Miro**, hosted on domains designed to appear legitimate (e.g., qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com). While some of these domains are still serving fake installers, others redirect to the legitimate **Miro** website. Notably, download buttons for Windows and Android versions on these malicious sites serve the same executable hosted on a **Dropbox** account. Prior to executing the **AppleScript**, the malicious websites fingerprint the visitor's device to check for virtual machines and VPNs, potentially indicating analysis environments. They also enumerate installed browser extensions for password managers and cryptocurrency wallets. All collected telemetry data is sent to the attacker via a **Telegram** bot. **Infection Chain** **SentinelOne** reports that the script containing the command to fetch the payload is dynamically constructed and hidden within ASCII art.  When the victim clicks ‘Run,’ the script displays a fake **Apple** security update message referencing **XProtectRemediator**, downloads a shell script using `curl`, and executes it silently via `zsh`. **Geographic Targeting and Data Theft** Before deploying its data-theft capabilities, the malware checks for a Russian keyboard/input. If detected, it reports a `cis_blocked` event to the command-and-control (C2) server and terminates without infecting the system. If the host is not Russian, **Reaper** retrieves and executes the malicious **AppleScript** with the data theft routine using the `osascript` command-line tool. It prompts the user for their macOS password, which is then used to access Keychain items, decrypt credentials, and access protected data. The infostealer targets: * Browser data from **Google Chrome**, **Mozilla Firefox**, **Brave**, **Microsoft Edge**, **Opera**, **Vivaldi**, **Arc**, and **Orion** * Cryptocurrency wallet browser extensions, including **MetaMask** and **Phantom** * Password manager browser extensions, including **1Password**, **Bitwarden**, and **LastPass** * Desktop cryptocurrency wallet applications, including **Exodus**, **Atomic Wallet**, **Ledger Live**, **Electrum**, and **Trezor Suite** * iCloud account data * Telegram session data * Developer-related configuration files **Filegrabber Module** **Reaper** includes a “Filegrabber” module that searches the Desktop and Documents folders for file types likely to contain sensitive information. It collects targeted files smaller than 2MB (or up to 6MB for PNG images), with a total volume limit of 150MB.  **Wallet Hijacking** When wallet applications are present, **Reaper** hijacks them by terminating their processes and replacing the legitimate core application file with a malicious one named `app.asar`, downloaded from the C2 server. To evade **Gatekeeper** alerts, the **SHub Reaper** malware clears the quarantine attributes with `xattr -cr` and uses *ad hoc* code signing on the modified application bundle, as detailed by the **SentinelOne** researchers.  **Persistence and Remote Access** **SentinelOne** warns that the malware establishes persistence by installing a script impersonating the **Google** software update and registering it using LaunchAgent. This script executes every minute, acting as a beacon that sends system information to the C2. If the script receives a payload, it can decode and execute it in the context of the current user, then delete the file, granting the attacker extended access to the machine. **SentinelOne** highlights that the **SHub** operator is expanding the infostealer's capabilities to include remote access to compromised devices, potentially allowing for the deployment of additional malware. **Indicators of Compromise (IOCs)** **SentinelOne** has provided a set of indicators of compromise to aid defenders in protecting against this new **SHub Reaper** variant. They recommend monitoring for suspicious outbound traffic after Script Editor execution and new LaunchAgents or related files in the namespace of trusted vendors.