The new SHub variant, dubbed Reaper, uses a fake macOS security update via AppleScript to install a backdoor and steal browser, wallet, and system data. It also hides its activity with anti-analysis checks, persistence via LaunchAgent, and payload delivery through Telegram-controlled infrastructure. #SHub #Reaper #SentinelOne
Keypoints
- Reaper is a new SHub macOS infostealer variant.
- It uses applescript:// links to open Script Editor with malicious AppleScript.
- The malware shows a fake Apple security update and executes a hidden shell script.
- It steals browser data, wallet credentials, iCloud data, Telegram sessions, and files from Desktop and Documents.
- It establishes persistence with LaunchAgents and can deliver additional payloads from C2.