THREATNOIR
Subscribe
Back to Feed
MalwareMay 18, 2026

A new macOS stealer called Reaper — a SHub variant tracked by @LabsSentinel — runs an infection c...

Reaper macOS stealer (SHub variant) uses typo-squatted domains and fake installers to infect systems.

Read at source

Summary

Reaper, a new macOS stealer malware tracked as a SHub variant, employs a multi-stage infection chain that exploits user trust in legitimate applications. The attack uses fake WeChat or Miro installers as lures and delivers payloads through typo-squatted domains (e.g., mlcrosoft[.]co[.]com) mimicking Microsoft. Each stage of the infection chain hides behind different trusted brand names to evade detection.

Indicators of Compromise

  • domain — mlcrosoft.co.com
  • malware — Reaper
  • malware — SHub

Entities

LabsSentinel (threat_actor)WeChat (product)Miro (product)