Do Fear the Reaper: New macOS Malware Steals Credentials, Wallets, and Creates Backdoors

A new infostealer variant named Reaper is targeting macOS users with a sophisticated attack that spoofs trusted domains including Apple, Microsoft, and Google. The malware, an updated version of SHub stealer, specifically targets password managers and cryptocurrency wallets while establishing persistent backdoors on compromised systems.

Attack Vector and Initial Infiltration

The attack begins with fake WeChat and Miro installer websites hosted on domains designed to establish user trust through typo-squatting, such as mlcrosoft[.]co[.]com. When users visit these malicious pages, hidden JavaScript gathers extensive system information including IP address, location, WebGL fingerprinting data, and indicators of virtual machines or VPNs.

Notably, the attack automatically terminates if the victim is located in Russia, suggesting possible geopolitical targeting or avoidance of certain regions with heightened security awareness.

Bypassing macOS Security Defenses

Unlike earlier macOS stealer campaigns that relied on ClickFix social engineering tactics to trick users into executing commands in Terminal, Reaper bypasses Terminal altogether. This approach defeats security enhancements Apple introduced in macOS version 26.4.

The malware uses Apple's Script Editor, pre-populated with malicious payload, to execute its attack. When users click on a specially crafted link (heavily padded with ASCII art and fake terms to hide the malicious command), they're presented with a popup message claiming to be a security update for Apple's XProtectRemediator tool. Instead of updating security software, the malware executes a curl command to download a shell script and prompts users to enter their login credentials—information that is immediately scraped and used to decrypt stored credentials.

Comprehensive Data Theft

Reaper extends beyond earlier SHub variants by implementing a filegrabber that searches for files containing business or financial information in users' Desktop and Document folders—a functionality similar to that seen in Atomic macOS Stealer (AMOS).

The malware specifically targets several desktop cryptocurrency tools including:

• Exodus
• Atomic Wallet
• Ledger Wallet
• Ledger Live
• Trezor Suite

When these wallets are detected, Reaper injects them with malware to ensure continued theft of funds. The malware also harvests browser data, macOS Keychain and iCloud account data, and Telegram session data.

Persistent Backdoor Installation

Perhaps most concerning is Reaper's ability to establish persistence on infected systems. It creates a directory structure designed to mimic Google Software Update at ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/.

"The LaunchAgent executes the target script GoogleUpdate every 60 seconds," explains SentinelOne research engineer Phil Stokes. "The script functions as a beacon, sending system details to the C2's /api/bot/heartbeat endpoint."

This backdoor allows attackers to remotely execute code on compromised systems with the user's privileges. If the attacker-controlled server sends a "code" payload, the script decodes it, writes it to a hidden file, executes the code, and then deletes the file—leaving no trace of the execution.

Security Implications

The backdoor capability gives malware operators multiple ways to steal additional data or pivot to other malicious installations after the initial compromise. This persistence makes detection and removal significantly more challenging for security professionals and affected users.

The attack demonstrates a concerning evolution in macOS malware, combining social engineering, system exploitation, and persistence techniques to create a comprehensive threat that goes beyond simple data theft.

Protection Recommendations

For macOS users concerned about the Reaper malware, security experts recommend the following protective measures:

1. Verify software sources: Only download applications from official app stores or verified developer websites
2. Exercise caution with installation prompts: Never enter credentials unless absolutely certain of the application's legitimacy
3. Keep systems updated: Ensure macOS and all applications are updated to the latest versions
4. Use security software: Implement reputable endpoint protection solutions that can detect and block macOS threats
5. Regularly audit system: Monitor for unusual processes, especially those mimicking legitimate software like GoogleUpdate

Organizations should additionally implement:

• Application whitelisting
• Network segmentation to limit lateral movement
• Employee security awareness training focused on recognizing sophisticated social engineering attacks

The Reaper malware represents a significant threat to macOS users, combining multiple attack techniques in a single package. As Apple continues to enhance macOS security, malware authors are simultaneously developing more sophisticated methods to bypass these protections, creating an ongoing cat-and-mouse game between security professionals and cybercriminals.

For more technical details about the Reaper malware, SentinelOne's blog post provides additional analysis of the attack chain and mitigation strategies.