[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-hunR3NE31Ub_-5skiCCd5b8ssMjGJh1T_UzWYYWFd4":3},{"article":4,"iocs":43},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"18ac21d7-6dee-48a4-88f8-4d17ded0438c","Reaper macOS Infostealer Abuses Script Editor to Steal Crypto and Passwords","reaper-macos-infostealer-abuses-script-editor-to-steal-crypto-and-passwords-1c4860","Threat actors are deploying an updated SHub Stealer variant named Reaper that exploits the native macOS Script Editor to bypass OS-level protections and compromise cryptocurrency assets.","Threat actors are distributing Reaper, an updated SHub Stealer variant, via fake software download pages (WeChat, Miro, Microsoft) that exploit macOS Script Editor to bypass Apple's Terminal copy-paste restrictions. The malware steals cryptocurrency wallets, browser passwords, documents, and cryptocurrency exchange credentials by modifying wallet application code and exfiltrating files via C2 servers. It specifically targets crypto wallets like Ledger Live, Trezor, and Exodus, as well as browser extensions like MetaMask and 1Password.","Reaper macOS infostealer abuses Script Editor to bypass protections and steal crypto and passwords.","Security MalwareReaper macOS Infostealer Abuses Script Editor to Steal Crypto and Passwords Threat actors are deploying an updated SHub Stealer variant named Reaper that exploits the native macOS Script Editor to bypass OS-level protections and compromise cryptocurrency assets. byDeeba AhmedJune 5, 20263 minute read macOS users are facing another malware campaign, this time involving a modified infostealer that poses as trusted technology brands to compromise local files and cryptocurrency assets. As previously reported by Hackread.com, researchers at SentinelOne first identified the campaign distributing an updated version of SHub Stealer under the build tag Reaper. A later investigation by Moonlock has now provided more detail on the operation, showing how attackers used fake download pages for popular apps such as WeChat and Miro to target victims. Image credit: SentinelOne and Moonlock The Automated ClickFix Technique According to Moonlock’s blog post, this campaign uses a variant of the ClickFix attack. In previous iterations, threat actors used deceptive web pages to convince victims to manually copy and paste malicious commands into the native macOS Terminal utility. To neutralise this specific risk, Apple implemented strict copy-and-paste restrictions within Terminal inside the macOS Tahoe 26.4 operating system release. To bypass these updates, the Reaper malware abandons the Terminal entirely, and the fake websites use a specific internet link format (applescript:\u002F\u002F) to automatically open the built-in macOS Script Editor app. The hackers hide the malicious code inside the app by using extensive ASCII art and arbitrary whitespace injection to obfuscate the functional script sequences below the visible scroll boundary of the graphical user interface. This basically pushes the command out of sight. When a user clicks the play button, thinking they are running a normal system update, the script executes. Because Script Editor is an official tool included with all versions of macOS, users rarely suspect any danger. Multi-Stage Disguises and Data Theft The attackers use a shifting setup to gain user trust. The attack starts on fake software pages hosted on misspelled Microsoft web domains, such as mlcrosoft.co.com. Once the script runs, it displays a fake Apple security update message to trick the user into typing in their system password. “The payload may be hosted on a typo-squatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory. Alongside the previously documented SHub feature set, the build also adds an AMOS-style document theft module with chunked uploads,” researchers explained. Reaper then checks the computer’s keyboard configuration. If the keyboard is set to the Russian language, the program completely shuts down. If not, it activates an information-stealing feature modelled after Atomic macOS Stealer (AMOS). It targets specific extensions within the Desktop and Documents paths, specifically storing .docx, .pdf, .xlsx, .wallet, and .keys files into compressed 70MB chunked ZIP archives. These archives are transmitted via standard curl commands to an external command-and-control server at hebsbsbzjsjshduxbs.xyz\u002Fgate\u002Fchunk. The malware also targets internet browsers like Chrome, Firefox, and Edge to steal saved passwords, along with browser extensions like 1Password and MetaMask. For desktop crypto wallets, including Ledger Live, Trezor Suite, and Exodus, Reaper modifies the actual internal code of the applications to intercept and divert future funds. Finally, it sets up a permanent backdoor inside a fake Google Software Update directory to maintain remote access to the computer. This is the third campaign in under two months that has adopted this newly automated distribution style. Therefore, researchers are advising to always double check website addresses, never type your Mac password into unexpected pop-up boxes, and use reliable security software to detect these hidden scripts before execution to stay safe. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ClickFixCryptoInfostealermacOSPasswordReaperScript EditorSHub StealerWeChat Leave a Reply Cancel reply View Comments (0) Related Posts Security Apple News iPhone US government gets its hand on $15,000 iPhone cracking device Until a couple of weeks ago, Cellebrite was one of the known few firms claiming to crack any iPhone… byWaqas Technology Android Security Smartphone sensors can leak the four-digit PIN code to hackers Smartphones have remained the primary domain of experimentation for cybercriminals as they are always finding out ways to… byUzair Amir Read More Security News Social Media Linked Oculus Accounts Trigger Facebook and Instagram Suspension META is suspending accounts of users on Facebook and Instagram, potentially linked to malicious Vietnamese activity involving META's Oculus. byDeeba Ahmed Cyber Crime Scams and Fraud Security BTC-e exchange’ owner arrested over money laundering accusation A 38-year-old Russian citizen Alexander Vinnik who also happened to be the co-owner of BTC-e, one of the… byWaqas","https:\u002F\u002Fhackread.com\u002Freaper-macos-infostealer-script-editor-crypto-passwords\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Freaper-macos-infostealer-script-editor-crypto-passwords-2.jpg","2026-06-05T13:06:01+00:00","2026-06-05T14:00:18.173262+00:00",9,[18,21,23,25,27,30],{"name":19,"type":20},"macOS Script Editor","product",{"name":22,"type":20},"MetaMask",{"name":24,"type":20},"Ledger Live",{"name":26,"type":20},"Trezor Suite",{"name":28,"type":29},"SentinelOne","vendor",{"name":31,"type":29},"Apple","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":32,"icon":34,"name":35,"slug":36},null,"Malware","malware",[38],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",[44,48,51,54],{"type":45,"value":46,"context":47},"domain","hebsbsbzjsjshduxbs.xyz","Command-and-control server used for exfiltrating stolen data via \u002Fgate\u002Fchunk endpoint",{"type":45,"value":49,"context":50},"mlcrosoft.co.com","Typo-squatted Microsoft domain hosting malicious payload and fake security update pages",{"type":36,"value":52,"context":53},"Reaper","Updated SHub Stealer variant targeting macOS users, exploits Script Editor for obfuscation",{"type":36,"value":55,"context":56},"SHub Stealer","Original infostealer; Reaper is an updated variant with AMOS-style document theft module"]