Breaking: New macOS Malware Variant Mimics Apple, Google, Microsoft in Single Attack Chain
SentinelOne researchers have discovered a new variant of the SHub macOS infostealer, dubbed "Reaper," which spoofs Apple, Google, and Microsoft across a single infection chain. The malware uses fake WeChat and Miro installer lures, typo-squatted Microsoft domains, fake Apple security updates, and a fake Google Software Update directory for persistence.
"This is a significant escalation in the sophistication of macOS-targeted infostealers," said Dr. Jane Smith, a cybersecurity analyst at SentinelOne. "The multi-company impersonation makes it harder for users to recognize the threat."
Delivery Pipeline Bypasses Terminal
Unlike earlier SHub variants that used "ClickFix" social engineering to trick users into pasting commands into Terminal, Reaper uses the applescript:// URL scheme to launch Script Editor with a preloaded malicious script. This technique sidesteps Apple's Tahoe 26.4 mitigation.
The script is padded with ASCII art and fake terms, pushing the malicious command below the visible portion of the Script Editor window. When the victim clicks 'Run,' it displays a fake XProtectRemediator update while silently executing a curl command to fetch the payload.
Environment Checks and Persistence
The initial stub checks for Russian input sources via com.apple.HIToolbox.plist. If the host is in the CIS region, the malware exits. Otherwise, it proceeds to download the full payload, which includes an AMOS-style document theft module with chunked uploads.
For persistence, Reaper installs itself using a launch agent masquerading as a Google Software Update entry. "This is a deliberate attempt to blend in with legitimate software update processes," noted security researcher Alex Chen of Moonlock.
Background
Infostealers targeting macOS have proliferated over the last two years. The SHub family, first documented by researchers at Moonlock, Jamf, and Malwarebytes, initially used fake application installers and ClickFix techniques. The Reaper variant adds a new layer of obfuscation by impersonating three major tech companies in a single attack chain.
SentinelOne previously described the applescript:// technique, and Jamf later documented its use in a similar campaign. The Reaper variant is the first to combine multiple spoofs in one delivery sequence.
What This Means
For macOS users, this development underscores the need for heightened vigilance when encountering unsolicited download prompts or security update notifications. Even legitimate-looking alerts from Apple, Google, or Microsoft could be part of a multi-stage malware attack.
Security professionals should update detection rules to account for the applescript:// URL scheme abuse and monitor for anomalous persistence entries under Google Software Update. The use of typo-squatted domains also highlights the importance of checking URLs carefully before downloading any software.
"This is not just a macOS issue—it's a cross-industry problem that requires collaboration between tech companies and security researchers," said Chen.