A macOS malware campaign named Reaper updates SHub Stealer to aggressively harvest crypto, passwords, and more by abusing the Script Editor through a fake download/update flow on fake websites.

Prior SHub Stealer variants already scraped macOS Keychains, iCloud data, Telegram sessions, and browser data; Reaper expands these capabilities significantly.

Reaper spreads via spoofed websites that mimic legitimate software, using a one-click Script Editor payload to automate infection without prompting users for input.

Protection tips urge sourcing apps from official stores, avoiding suspicious sites and auto-opening tools, enabling multi-factor authentication, keeping the OS updated, and storing crypto on offline devices.

This is the third automated distribution wave in under two months, prompting warnings to verify URLs, avoid entering passwords in unexpected prompts, and use security software to detect hidden scripts.

The malware searches Desktop and Documents for valuable files, compresses and exfiltrates them, and installs a hidden backdoor disguised as a software update service for persistence.

The campaign popularizes a ClickFix technique, exploiting user trust to prompt normal-looking actions rather than directly compromising the OS.

To evade targeting, the malware checks the system keyboard layout and aborts on Russian layouts; elsewhere it prompts for a system password to escalate privileges.

A permanent backdoor is maintained via a fake Google Software Update directory to sustain remote access.

Persistence is achieved by dropping an encoded bash script and registering it as a LaunchAgent to run in the background.

IoCs include defanged domains and file paths tied to the malware, a fake Apple security update link, and a compromised GoogleUpdate-related directory and launch agents.

Stolen data is exfiltrated with curl to an attacker-controlled server, and a disguised Google update service backdoor survives reboots.