Mac users beware — this devious new infostealer malware disguises itself as official Apple tools to lure in victims

News
By published

SentinelOne found a new variant of the SHub macOS infostealer

The menu bar running in macOS.
(Image credit: Berat Bozkurt on Unsplash)
  • SentinelOne uncovers new SHub macOS infostealer variant dubbed Reaper, spread via typosquatted WeChat and Miro domains
  • The malware disguises itself with fake Apple and Google update components, establishing persistence and backdoor access
  • Reaper targets browser credentials, crypto wallets, password managers, and sensitive documents, with signs of Russian‑speaking operators avoiding CIS systems

Cybersecurity researchers from SentinelOne have discovered a new variant of the notorious SHub macOS infostealer malware called ‘Reaper’.

In a new report SentinelOne said it observed typosquatted domains spoofing popular apps WeChat (a popular Chinese messaging and social media app) and Miro (an online visual collaboration and whiteboard platform).

Victims using macOS and looking to install these apps will trigger an infection chain that constantly changes its disguise to make the malware look legitimate at every stage of attack. After launching the script, it will display a fake update message referencing Apple’s XProtectRemediator security tool, and after infecting the system, it will establish persistence by creating files and folders designed to look like a genuine Google software update component.

Latest Videos From

Avoiding the Russians

It will store a backdoor in a fake “GoogleUpdate” directory and register a LaunchAgent named “com.google.keystone.agent.plist,” the researchers said.

The goal of the campaign is to steal credentials and sensitive files, as well as cryptocurrency wallets. While SentinelOne does not attribute the attack to any specific group or threat actor, it did say there were several hints suggesting the operators may be Russian speaking (or are, at least, trying to avoid targets in former Soviet states).

The malware checks whether the infected system uses Russian input sources and exits if it detects systems in the CIS (Commonwealth of Independent States) region. SentinelOne also said that when they tried to bypass the malware’s anti-analysis protection, a fake website displayed a Russian “Access Denied” message.

The Reaper variant primarily targets web browsers, cryptocurrency wallets, and applications that may contain financial or business-related data, stealing browser credentials, crypto wallet data, login keychains, Telegram session data, and documents from the Desktop and Documents folders.

It also searches for browser extensions linked to password managers such as 1Password, Bitwarden, and LastPass, along with cryptocurrency wallets like MetaMask and Phantom.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.