Bypassing Terminal Protections: New SHub “Reaper” Variant Abuses AppleScript to Loot macOS Endpoints

Information stealers targeting macOS have continued to proliferate over the last two years, with threat actors iterating on successful techniques across related malware families. The latest escalation comes from a newly discovered variant of the SHub Stealer framework, tracked under the build tag “Reaper”.

Uncovered in the wild by SentinelOne, the Reaper campaign marks a clear departure from standard, noisy social engineering lines, introducing a multi-stage delivery pipeline engineered to silently slip behind Apple’s modern operating system safeguards.

As the SentinelOne research team highlights:

“Reaper uses fake WeChat and Miro installers as lures, but what stands out is the way the infection chain shifts its disguise at each stage.”

Historically, SHub builds relied on “ClickFix” tactics where victims were tricked into manually copying and pasting malicious commands straight into the macOS Terminal console. The Reaper variant abandons this approach entirely to bypass the latest security barriers:

“…this variant uses a delivery mechanism that bypasses Terminal entirely and sidesteps Apple’s Tahoe 26.4 mitigation for those attack flows.”

Instead of forcing text interaction, the infection vector wraps its payload inside a seemingly normal, signed application installer disguised as standard collaboration tools like Miro or WeChat. Once executed, the multi-stage delivery pipeline cycles through a sequence of deceptive brand masks to hide its operational footprint from network administrators and local file scanners:

• Hosting Layer: The secondary payload packages are hosted on typo-squatted web domains mimicking legitimate Microsoft infrastructure.
• Execution Layer: The downloaded payload executes in the background under the guise of an authentic Apple security update.
• Persistence Layer: The malware hides its primary execution assets inside a fraudulent Google Software Update directory context.

Once active on the host machine, Reaper runs a local configuration sweep that targets typical info-stealer objectives—vacuuming system profiles, local browser credential vaults, session cookies, and cryptocurrency wallet keys.

However, the defining upgrade integrated into the Reaper build tag is a dedicated document collection routine modeled after the prominent Atomic macOS Stealer (AMOS). The module is engineered to search local user paths for high-value text documents, PDFs, spreadsheet configurations, and database assets. To prevent heavy outbound data spikes from triggering local data loss prevention (DLP) or firewall anomalies, the loader fragments its stolen cargo, transmitting data back to the primary gate URL (https://hebsbsbzjsjshduxbs.xyz) using stealthy, chunked upload streams.

To ensure long-term visibility independent of user restarts, Reaper drops a highly persistent User LaunchAgent script onto the host. The task structure is deliberately named to blend perfectly into standard application behaviors, masquerading as a routine Google background component:

The native LaunchAgent configuration is designed to trigger this GoogleUpdate beacon script automatically every 60 seconds, logging system details and checking in with the C2 server’s /api/bot/heartbeat endpoint.

The emergence of the Reaper variant proves that macOS-focused threat loops are matching the modular evasion architectures long observed in Windows environments.

To protect enterprise endpoints, defenders should look beyond basic Terminal execution boundaries. Security teams are strongly urged to restrict software installation permissions exclusively to verified enterprise application catalogs, implement strict behavior rules to catch unauthorized User LaunchAgent creations, and deploy endpoint monitoring capable of identifying rapid, programmatic file-scraping behavior targeting user document directories.