SentinelOne documented Reaper, an updated SHub macOS infostealer delivered via fake WeChat and Miro installer sites spoofing trusted brands and abusing Script Editor instead of Terminal. The malware steals passwords, browser and Keychain data, Telegram sessions, and cryptocurrency wallet data, injects some wallet apps for continued theft, and installs a LaunchAgent-backed backdoor that beacons to C2 and can execute attacker-supplied code.
Why it matters: macOS users are being targeted with a more evasive stealer that bypasses recent Apple defenses against Terminal-based social engineering. Defenders should block the typosquatted infrastructure, hunt for the fake GoogleUpdate persistence path and LaunchAgent, and warn users about malicious installer lures.
2026.05.18
100% relevant
This article appears to be the initial reporting on the newly documented Reaper/SHub macOS campaign and its updated tradecraft, rather than an update to an existing tracked event.
← Back to all stories