Image credit: Shutterstock
A new macOS infostealer called Reaper is targeting crypto users by abusing Apple’s built-in Script Editor instead of the Terminal commands used in earlier social-engineering attacks. SentinelOne identified the malware as a new SHub variant.
The campaign uses fake WeChat and Miro download pages to lure victims, then switches between Apple, Microsoft and Google branding during the attack chain. The malware is built to steal browser credentials, wallet data, password-manager information and sensitive files.
Script Editor Replaces Terminal Prompts
Older SHub attacks relied on ClickFix-style prompts that pushed users to paste commands into Terminal. Reaper changes that flow by using the applescript:// URL scheme to open macOS Script Editor with malicious AppleScript already loaded.
The malicious command is hidden below ASCII art and fake installer text, so users may only see harmless-looking content when the window opens. If the victim clicks Run, the script shows a fake Apple XProtectRemediator update message while fetching the next-stage payload.
Fake Download Pages Check Wallet Extensions
The fake download sites profile visitors before launching the payload. SentinelOne said the pages collect IP addresses, location data, browser details, WebGL fingerprinting data and signs of virtual machines or VPNs.
The scripts also check for browser extensions tied to password managers and crypto wallets, including 1Password, Bitwarden, LastPass, MetaMask and Phantom. The collected data is sent to the operators through a Telegram bot.
Reaper Targets Exodus and Ledger Live
After execution, Reaper asks for the user’s macOS password. The malware then uses it to access protected data such as Keychain items, stored credentials, browser data, iCloud account data, Telegram sessions and developer configuration files.
Reaper also targets desktop wallet apps including Exodus, Atomic Wallet, Ledger Live, Electrum and Trezor Suite. When it finds a targeted wallet, it can shut down the app and replace its core app.asar file with a malicious version from its command-and-control server.
Fake Google Updater Runs Every 60 Seconds
Reaper does not only steal data during the first run. It creates a fake Google Software Update directory and registers a LaunchAgent named to look like Google’s update system. The LaunchAgent runs every 60 seconds.
That persistence gives attackers a continuing backdoor. If the server returns a new payload, the malware can decode and run it with the infected user’s privileges.
Unexpected Script Editor Prompts Are the Warning
The immediate warning for Mac crypto users is direct. A website that opens Script Editor and asks the user to click Run should be treated as malicious.
Security teams should watch for unusual Script Editor activity, browser-to-AppleScript execution chains, osascript spawning shell commands, suspicious outbound traffic after Script Editor execution and new LaunchAgents using trusted vendor names.
