macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain
Essential information
- Published
- 18/05/2026 19:52
- Modified
- 18/05/2026 18:26
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- amos atomic macos stealer backdoor credential harvesting cryptocurrency theft infostealer macos persistence mechanism shub reaper shub stealer social engineering typosquatting
- Tags
- 2026-05-18 amos atomic macos stealer backdoor credential harvesting cryptocurrency theft infostealer macos persistence mechanism shub reaper shub stealer social engineering typosquatting
- Related entities
- 8 indicators, 8 observables, 19 techniques (mitre), 4 malware, 3 others
Description
A new variant of SHub Stealer dubbed 'Reaper' targets macOS users through fake WeChat and Miro installers, employing sophisticated multi-stage delivery chains that spoof Apple, Google, and Microsoft services. The malware leverages the applescript:// URL scheme to bypass Terminal-based defenses, conducting extensive fingerprinting and anti-analysis checks before execution. Reaper harvests browser credentials, cryptocurrency wallets, developer configurations, iCloud data, and Telegram sessions. It includes an AMOS-style document theft module targeting files under 150MB with chunked uploads. The variant establishes persistence through a fake Google Software Update LaunchAgent and installs a backdoor for remote code execution. The infection specifically avoids CIS regions and employs extensive anti-analysis techniques including WebGL fingerprinting, VM detection, and DevTools interference.