A new macOS info-stealer dubbed SHub Reaper is being distributed through trojanized installers for popular apps including WeChat and Miro, using AppleScript-based execution and spoofed Google, Microsoft and Apple login prompts to steal credentials and backdoor compromised systems, according to analysis shared with this publication.
The campaign relies on users downloading fake installers that closely mimic legitimate packages for services such as WeChat and the collaborative whiteboard tool Miro. Once a victim launches the application bundle, the malware chain abuses macOS scripting and automation capabilities rather than the more traditional “ClickFix”-style browser pop-ups seen in earlier social-engineering campaigns. By leaning on native mechanisms like AppleScript and the osascript interpreter—tactics broadly aligned with MITRE ATT&CK’s command and scripting technique for macOS (T1059)—SHub Reaper can blend more easily with normal system activity and reduce obvious signs of malicious behavior.
SHub Reaper’s most visible trick is a series of fake authentication dialogs that carry Google, Microsoft, or Apple branding and are timed to appear when the victim expects to sign in to services like Gmail, Microsoft 365, or their Apple ID. Unsuspecting users who enter passwords, one-time codes, or recovery details into these prompts are effectively handing over their cloud and SSO credentials, giving attackers routes into corporate email, document platforms, and developer or admin accounts tied to Apple IDs. The stealer component is designed to exfiltrate captured data back to attacker-controlled infrastructure, potentially alongside system details that can be used to stage follow-on intrusions.
Beyond credential theft, the malware is reported to establish durability on infected Macs using common persistence techniques seen across macOS threats in the MITRE ATT&CK macOS matrix, such as launch agents or login items that automatically run on startup. That persistence allows operators to maintain a foothold and deploy secondary payloads, turning what begins as a credential-stealing incident into a full backdoor compromise of the workstation. No public NVD entries or CVE identifiers are associated with SHub Reaper at this stage, underscoring that this is primarily a malware and social-engineering problem rather than a newly disclosed flaw in macOS itself.
The emergence of SHub Reaper continues a broader trend of dedicated macOS stealers and loaders targeting both consumers and enterprise users, mirroring the long-standing Windows malware ecosystem. Apple’s built-in protections such as Gatekeeper, notarization and XProtect—documented in the company’s Apple Platform Security guide—can blunt some commodity threats, but heavily user-driven infections via convincing fake installers remain difficult to automatically block without also disrupting legitimate software distribution models. Organizations that allow employees to install collaboration tools like Miro or region-specific messaging apps like WeChat on managed Macs may therefore face a disproportionate risk.
Defenders are advised to tighten macOS application controls where feasible, favoring the Mac App Store or vetted, cryptographically verified download sources and discouraging ad-driven or third-party “mirror” sites. Security teams should monitor for suspicious execution of osascript and other scripting binaries, anomalous launch agents, and unexpected prompts for cloud or Apple ID credentials, while ensuring endpoint security tools are tuned for emerging macOS stealer families. User awareness remains critical: training should stress that login prompts can be spoofed and that any unexpected request for Google, Microsoft 365 or Apple account passwords—especially immediately after running an installer—should be treated as a red flag and reported to security staff.
