Anatomy of Reaper: Fileless macOS Infostealing via AppleScript, Geofencing, and Persistent Backdoors
A sophisticated new evolution of the SHub macOS infostealer, identified by researchers as “Reaper,” is currently active in the wild.
This variant represents a significant step up in technical complexity, moving beyond simple credential harvesting to employ stealthier delivery vectors, advanced data exfiltration, and a highly deceptive persistence mechanism that masquerades as legitimate Google software updates.
While the Reaper strain maintains the classic SHub tactic of using fraudulent installers—specifically masquerading as popular productivity tools like WeChat and Miro—its infection chain has become significantly more modular. The malware frequently shifts its “disguise” at various stages of the kill chain. For instance, a victim might initially be redirected to a typo-squatted domain such as Microsoft[.]co[.]com before being presented with a fraudulent Apple security update prompt.
A notable shift in Reaper’s technical approach is its move away from traditional “ClickFix” social engineering, which typically requires a user to manually copy and paste commands into a Terminal. Instead, Reaper leverages the applescript:// URL scheme to facilitate more automated, fileless execution.
Security researchers at SentinelOne report that this evolution highlights a growing trend in macOS-targeted malware: the adoption of layered social engineering paired with living-off-the-land (LotL) techniques to bypass traditional endpoint detection.
By utilizing the applescript:// scheme, the malware automatically triggers the macOS Script Editor with a pre-loaded malicious payload. To evade visual detection, the script is “padded” with benign text and ASCII art, ensuring the actual malicious code remains hidden “below the fold” from the casual observer.
Upon execution, the script presents a deceptive XProtect update interface. While the user sees a system maintenance prompt, the script is silently executing a Base64-decoded command designed to fetch and run a remote shell script via curl and zsh.
Interestingly, Reaper includes built-in geofencing logic to avoid detection by specific regional security entities. The malware queries macOS input settings; if it detects Russian language indicators, it terminates execution and transmits a “cis_blocked” signal to its command-and-control (C2) server to signal a “safe” exit.

Before any payload is delivered, the lure websites conduct intensive device fingerprinting to assess the environment. These pre-infection checks include:
- IP geolocation and network profiling.
- WebGL-based hardware fingerprinting.
- Detection of Virtual Machines (VMs) or VPN/Proxy usage.
- Enumeration of browser extensions, specifically targeting password managers and cryptocurrency wallets.

The stolen data is exfiltrated via a Telegram bot. To hinder forensic analysis, the web components deploy anti-debugging defenses, such as overriding console functions and triggering infinite debugger loops to crash developer tools.
Exploiting System Trust: The Fake Google Update
Once the AppleScript is active, it prompts the user for macOS administrative credentials under the guise of a legitimate system request. Once harvested, these credentials allow the malware to breach the system’s security perimeter and access sensitive targets, including the macOS Keychain and browser-stored secrets.
Reaper’s target list is extensive, covering a wide array of high-value applications:
- Browsers: Chrome, Safari, Firefox, Edge, Brave, Opera, Vivaldi, Arc, and Orion.
- Crypto Wallets: Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite.
- Messaging: Telegram session data and authentication tokens.
The variant also introduces an AMOS-style Filegrabber module. This component autonomously scans the ~/Desktop and ~/Documents directories for high-value file types, including .docx, .xlsx, .json, .wallet, and .rdp. The malware can stage up to 150MB of data for exfiltration.

To manage large datasets, the malware implements a chunking mechanism, splitting archives into 70MB segments to facilitate exfiltration via standard HTTP requests without triggering network anomalies.
Furthermore, Reaper actively tampers with cryptocurrency software. It can replace core application files (such as app.asar) with trojanized versions retrieved from the C2 server. To ensure these modified files run without interference, the malware utilizes xattr -cr to strip extended attributes and employs ad hoc code signing to bypass macOS Gatekeeper protections.
Perhaps most concerning is Reaper’s persistence mechanism. It creates a directory structure that mimics the legitimate Google Update framework:
~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/
It drops a malicious binary named GoogleUpdate and registers it via a LaunchAgent: com.google.keystone.agent.plist. This agent executes every 60 seconds, serving as a persistent beacon to the C2 server. If the C2 responds with commands, the malware can execute them dynamically, providing the attacker with full remote code execution (RCE) and a long-term backdoor into the host.
Mitigation and Defensive Strategies
Because Reaper relies heavily on native macOS utilities like AppleScript and osascript, it often evades static, file-based detection engines like XProtect. Security teams must pivot toward behavioral analysis to detect this threat.
Defenders should prioritize monitoring for the following indicators:
- Anomalous or unexpected
osascript(Script Editor) execution patterns. - Unusual outbound network connections immediately following script execution.
- The creation of LaunchAgents within known vendor namespaces (e.g.,
com.google.*). - Unauthorized integrity changes to application files within
/Applications.
Indicators of Compromise (IoCs)
Network Communications
| Indicator | Description |
|---|---|
| hebsbsbzjsjshduxbs[.]xyz | Primary C2 Domain |
| hxxps[://]hebsbsbzjsjshduxbs[.]xyz/api/debug/event | C2 Endpoint |
| hxxps[://]hebsbsbzjsjshduxbs[.]xyz/api/bot/heartbeat | C2 Endpoint |
| hxxps[://]hebsbsbzjsjshduxbs[.]xyz/gate | C2 Endpoint |
| qq-0732gwh22[.]com | Fake WeChat Lure Domain |
| mlcrosoft[.]co[.]com | Fake Microsoft Lure Domain |
| mlroweb[.]com | Fake Miro Lure Domain |
File System Paths
| Filepath | Purpose |
|---|---|
| ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate | Backdoor Binary |
| ~/Library/LaunchAgents/com.google.keystone.agent.plist | Persistence Mechanism |
| /tmp/shub_log.zip | Staged exfiltration archive |
| /tmp/shub_split.sh | Archive splitting utility |
| /tmp/shub_mzip_*.zip | Segmented archive chunks |
| /tmp/.c.sh | Ephemeral backdoor execution script |
| /tmp/*_asar.zip | Downloaded wallet payloads (e.g., exodus_asar.zip) |
Static Identifiers
| Identifier | Value |
|---|---|
| Build ID | 6552824c59ddacb134073f24a4bd4724514a938a9dc59f1733503642faed3bd3 |
| Build Name | Reaper |
| Hardcoded Build Hash | c917fcf8314228862571f80c9e4a871e |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.