Google, Ledger Live and Trezor Suite: Reaper macOS Infostealer Abuses Script Editor to Steal Crypto and Passwords

Google, Ledger Live and Trezor Suite: Reaper macOS Infostealer Abuses Script Editor to Steal Crypto and Passwords

macOS Users Targeted by Reaper Malware Campaign Using Fake App Downloads

A new malware campaign is targeting macOS users with an updated version of the SHub Stealer, dubbed Reaper, which masquerades as trusted software brands to steal files and cryptocurrency assets. Researchers at SentinelOne first identified the threat, with Moonlock later uncovering additional details on its distribution tactics.

The attack leverages a refined ClickFix technique, bypassing Apple’s recent security updates in macOS Tahoe 26.4, which restricted malicious Terminal commands. Instead of relying on Terminal, the malware uses applescript:// links to automatically open macOS Script Editor, where malicious code is hidden beneath ASCII art and excessive whitespace rendering it invisible unless manually scrolled. When executed, the script triggers a fake Apple security update prompt, tricking users into entering their system password.

The campaign begins on typosquatted domains, such as mlcrosoft.co.com, impersonating legitimate software like WeChat and Miro. Once installed, Reaper checks the victim’s keyboard language shutting down if set to Russian before activating its data-stealing module, modeled after Atomic macOS Stealer (AMOS).

The malware targets documents, PDFs, spreadsheets, and cryptocurrency-related files (e.g., .wallet, .keys), compressing them into 70MB ZIP chunks and exfiltrating them to a command-and-control server at hebsbsbzjsjshduxbs.xyz/gate/chunk. It also steals browser passwords (Chrome, Firefox, Edge) and crypto wallet extensions (1Password, MetaMask), while modifying desktop wallet apps (Ledger Live, Trezor Suite, Exodus) to divert funds. A fake Google Software Update directory is created to maintain persistent backdoor access.

This marks the third campaign in two months using this automated distribution method, signaling an escalating threat to macOS users.

Source: https://hackread.com/reaper-macos-infostealer-script-editor-crypto-passwords/

BleepingComputer cybersecurity rating report: https://www.rankiteo.com/company/bleepingcomputer

Trezor cybersecurity rating report: https://www.rankiteo.com/company/trezor

Google cybersecurity rating report: https://www.rankiteo.com/company/google

"id": "BLETREGOO1780669490",
"linkid": "bleepingcomputer, trezor, google",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'location': 'Global (Excludes Russian-speaking '
                                    'regions)',
                        'type': 'Individual macOS Users'}],
 'attack_vector': 'Fake App Downloads, Typosquatted Domains, Social '
                  'Engineering (Fake Security Update Prompt)',
 'data_breach': {'data_exfiltration': 'Yes (Compressed into 70MB ZIP chunks, '
                                      'exfiltrated to C2 server)',
                 'file_types_exposed': ['.wallet',
                                        '.keys',
                                        'Browser Password Databases',
                                        'Crypto Wallet Extensions'],
                 'personally_identifiable_information': 'Browser Passwords, '
                                                        'Crypto Wallet '
                                                        'Credentials',
                 'sensitivity_of_data': 'High (Personally Identifiable '
                                        'Information, Financial Data, '
                                        'Cryptocurrency Credentials)',
                 'type_of_data_compromised': ['Documents',
                                              'PDFs',
                                              'Spreadsheets',
                                              'Cryptocurrency Wallet Files',
                                              'Browser Passwords',
                                              'Crypto Wallet Extensions']},
 'description': 'A new malware campaign is targeting macOS users with an '
                'updated version of the SHub Stealer, dubbed Reaper, which '
                'masquerades as trusted software brands to steal files and '
                'cryptocurrency assets. The attack leverages a refined '
                'ClickFix technique, bypassing Apple’s recent security updates '
                'in macOS Tahoe 26.4, which restricted malicious Terminal '
                'commands. The malware uses applescript:// links to '
                'automatically open macOS Script Editor, where malicious code '
                'is hidden beneath ASCII art and excessive whitespace. When '
                'executed, the script triggers a fake Apple security update '
                'prompt, tricking users into entering their system password. '
                'The campaign begins on typosquatted domains, impersonating '
                'legitimate software like WeChat and Miro. Once installed, '
                'Reaper checks the victim’s keyboard language, shutting down '
                'if set to Russian, before activating its data-stealing '
                'module. The malware targets documents, PDFs, spreadsheets, '
                'and cryptocurrency-related files, compressing them into 70MB '
                'ZIP chunks and exfiltrating them to a command-and-control '
                'server. It also steals browser passwords and crypto wallet '
                'extensions while modifying desktop wallet apps to divert '
                'funds.',
 'impact': {'data_compromised': 'Documents, PDFs, Spreadsheets, Cryptocurrency '
                                'Wallet Files, Browser Passwords, Crypto '
                                'Wallet Extensions',
            'identity_theft_risk': 'High (Browser Passwords, Crypto Wallet '
                                   'Credentials)',
            'operational_impact': 'Data Exfiltration, Unauthorized Access to '
                                  'Sensitive Information, Persistent Backdoor '
                                  'Access',
            'payment_information_risk': 'High (Cryptocurrency Theft)',
            'systems_affected': 'macOS (Tahoe 26.4 and potentially other '
                                'versions)'},
 'initial_access_broker': {'backdoors_established': 'Fake Google Software '
                                                    'Update Directory',
                           'entry_point': 'Typosquatted Domains (e.g., '
                                          'mlcrosoft.co.com)',
                           'high_value_targets': 'Cryptocurrency Wallet Users'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial Gain (Cryptocurrency Theft, Data Exfiltration)',
 'post_incident_analysis': {'root_causes': 'Social Engineering (Fake Security '
                                           'Update Prompt), Exploitation of '
                                           'macOS Script Editor, Lack of User '
                                           'Awareness'},
 'ransomware': {'data_exfiltration': 'Yes'},
 'references': [{'source': 'SentinelOne'}, {'source': 'Moonlock'}],
 'response': {'third_party_assistance': 'SentinelOne, Moonlock'},
 'title': 'macOS Users Targeted by Reaper Malware Campaign Using Fake App '
          'Downloads',
 'type': 'Malware Campaign',
 'vulnerability_exploited': 'macOS Script Editor (applescript:// links), '
                            'Refined ClickFix Technique'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.