SHub Reaper: How a New macOS Infostealer Tricks Users and Steals Sensitive Data

Once installed, the malware focuses on harvesting valuable user data, including:

• Browser credentials and saved passwords
• Apple Keychain entries
• iCloud-related data
• Local files and media
• Cryptocurrency wallet information and wallet applications

Security research shows that SHub‑family stealers can also access data from multiple browsers and messaging sessions and attempt to extract wallet keys or recovery phrases from crypto wallet software.

How the Multi‑Stage Attack Works

The SHub Reaper campaign relies heavily on social engineering rather than software exploits. Instead of exploiting a vulnerability directly, attackers manipulate victims into running malicious commands themselves.

A typical infection chain includes several stages.

1. Fake Software or Security Updates

Victims first encounter a fraudulent download page or update prompt posing as legitimate software or system tools. Researchers have observed lures involving:

• Fake installers for apps such as WeChat or Miro
• Websites impersonating utilities like CleanMyMac
• Pages mimicking Apple security tools or updates

To reinforce trust, some stages of the campaign host payloads on typo‑squatted domains that resemble Microsoft infrastructure or present the malware as an Apple security component.

2. “ClickFix” Social‑Engineering Trick

Many SHub-related attacks use a tactic known as ClickFix, where users are told to fix a problem or complete an installation by copying and pasting a command into Terminal.

The instructions typically claim the command will install a utility or repair an issue. Instead, it downloads and executes malicious code.

Because the user runs the command manually, the action bypasses many security warnings normally triggered when launching suspicious apps.

3. Multi‑Stage Script Execution

In documented SHub infections, the pasted command can launch a multi‑stage script chain, for example:

• An obfuscated curl command downloads a compressed loader
• The loader executes through the shell (often zsh)
• A subsequent stage runs an AppleScript payload that performs the actual malware operations

This layered structure helps conceal the attack and makes it harder for defenders to detect the full chain immediately.

What Data SHub Reaper Targets

The malware’s objective is broad data theft, focusing on assets that can be easily monetized or reused for further compromise.

Observed targets include:

• Browser passwords and stored credentials
• Apple Keychain secrets
• iCloud data and synced information
• Local files and documents
• Messaging sessions such as Telegram
• Cryptocurrency wallets and wallet applications

Some campaigns also modify or replace legitimate cryptocurrency wallet apps with trojanized versions, allowing attackers to later steal recovery phrases or funds.

Persistence and Evasion Techniques

To remain active on a compromised system, SHub Reaper reportedly installs a LaunchAgent disguised as a legitimate service such as "GoogleUpdate." This mechanism allows the malware to automatically run whenever the user logs in.

LaunchAgents are a common persistence method on macOS because they instruct the operating system to execute code during login through configuration files stored in system or user directories.

The malware also attempts to evade detection by:

• Using AppleScript and legitimate macOS processes to blend into normal system activity
• Breaking the attack into multiple script stages
• Relying on user‑initiated Terminal commands rather than traditional installers

These tactics make it harder for signature‑based tools and built‑in macOS protections to detect the infection immediately.

Why This Bypasses Some macOS Defenses

Apple includes several built‑in security systems such as Gatekeeper and XProtect, which scan downloads and apps for known malware patterns.

However, attacks like SHub Reaper avoid triggering those protections because:

• The victim runs the command manually in Terminal
• The malicious code arrives in stages
• Some components masquerade as legitimate system utilities

When malware execution begins through a user‑approved command rather than a downloaded app bundle, certain verification checks can be sidestepped.

How Mac Users Can Protect Themselves

Although the attack is sophisticated, it relies primarily on user deception, which means a few habits significantly reduce the risk.

1. Never paste commands into Terminal from websites.
If a page instructs you to copy and paste a command to fix an issue or install software, treat it as highly suspicious.

2. Install updates only through official channels.
Use macOS Software Update, the Mac App Store, or verified vendor websites rather than pop‑ups or third‑party installers.

3. Keep macOS and browsers fully updated.
Apple frequently updates security components like XProtect and XProtectRemediator to detect new malware variants.

4. Monitor sensitive accounts and wallets.
If you suspect infection, change passwords from a clean device and check cryptocurrency wallets and cloud accounts for suspicious activity.

5. Run reputable security tools.
Endpoint protection software can detect suspicious scripts, persistence mechanisms, or network activity.

The Bigger Trend: macOS Infostealers Are Growing

SHub Reaper reflects a broader shift in cybercrime. As Macs become more common in business environments, attackers increasingly develop macOS‑specific credential‑stealing malware and distribute it through social engineering rather than technical exploits.

For users, the main lesson is simple: most modern Mac malware doesn’t break in—it persuades you to let it in. Avoiding suspicious installers and Terminal commands remains the most effective defense.