Overview
- SentinelOne disclosed Monday that a new SHub variant dubbed Reaper opens Script Editor via applescript://, sidestepping macOS Tahoe 26.4 protections that target Terminal paste attacks.
- The lure begins on fake WeChat or Miro download pages hosted on typo‑squatted domains such as mlcrosoft.co.com that fingerprint visitors, check for VMs or VPNs, and halt on Russian hosts.
- After victims click Run in Script Editor, a fake XProtectRemediator update appears as the malware fetches payloads, prompts for the Mac password, and unlocks Keychain and browser data.
- Reaper steals credentials and wallet data, adds a Filegrabber that zips and uploads targeted Desktop and Documents files in chunks with a total cap near 150 MB, and swaps wallet app files with a malicious app.asar while clearing quarantine and using ad‑hoc signing.
- It maintains access with a LaunchAgent that imitates GoogleUpdate and beacons every 60 seconds for commands, while researchers shared indicators of compromise and urge users to avoid untrusted installers, close Script Editor if a link opens it, and watch for new LaunchAgents.