SHub macOS Infostealer: Why AppleScript Spoofs Apple Security Updates
shub reaperapplemacossentinelonecybersecurityinfostealermalwareapplescriptdata theftcryptocurrency walletspassword managersxprotectremediator

SHub macOS Infostealer: Why AppleScript Spoofs Apple Security Updates

By Daniel MarshMay 19, 2026

You'd think by now, we'd all be wary of sketchy installers and fake update prompts. But the SHub Reaper variant, a new SHub macOS infostealer, is proving that attackers are always finding new ways to make us drop our guard. On Reddit, I've seen a lot of talk about macOS becoming an increasingly attractive target, and this new SHub macOS infostealer variant, documented by SentinelOne researchers on May 18, 2026, just proves it. People are right to be concerned; the tools these threat actors use are getting more capable, more professional.

The mainstream narrative often focuses on the general threat of infostealers, but what's really concerning here is how SHub Reaper sidesteps recent Apple security efforts. It's not just another malware; it's an evolution of the SHub macOS infostealer that bypasses mitigations Apple put in place for Terminal-based attacks. This isn't about a simple "ClickFix" anymore.

The Incident: A Multi-Brand Deception

SHub Reaper, a sophisticated SHub macOS infostealer, starts its attack by luring users to typo-squatted domains, like qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, or mlroweb[.]com. These sites offer fake installers for popular apps like WeChat or Miro. Before even delivering the main payload, the malicious sites fingerprint visitor devices, checking for virtual machines, VPNs, and even installed browser extensions like password managers or crypto wallets. That telemetry data goes straight to a Telegram bot, giving the attackers a clear picture of their target.

The Mechanism: AppleScript's Deceptive Power

Here's the chain that makes the SHub macOS infostealer particularly nasty:

  1. Initial Access via AppleScript: Instead of a direct executable, the victim is tricked into clicking a link that uses the applescript:// URL scheme. This automatically launches macOS Script Editor, preloaded with malicious AppleScript.
  2. Fake Update Display: When the victim clicks 'Run' in Script Editor (which, let's be honest, many users might do if they think it's part of an installer), a fake Apple security update message pops up. It even references XProtectRemediator, making it look legitimate.
  3. Silent Shell Script Execution: While that fake update is on screen, the malicious AppleScript silently downloads a shell script using curl. Then, it executes that script via zsh in the background. This is where it bypasses Apple's Tahoe 26.4 mitigation, which was designed to stop Terminal-based attack chains. The command is even padded with ASCII art and fake installer text to hide the dangerous parts below the visible window.
  4. Geographic Check: The shell script first checks for Russian keyboard or input sources. If it detects a CIS region, it reports cis_blocked to its C2 server and exits. This is a common tactic to avoid law enforcement scrutiny in certain regions.
  5. Data Theft Routine: If the system isn't Russian, the malicious AppleScript retrieves and executes the main data theft routine using osascript. This routine, part of the SHub macOS infostealer, then prompts the user for their macOS password, claiming it needs access for the "update." If you give it up, it decrypts Keychain items and accesses protected data.

The SHub macOS infostealer then goes to work, targeting a wide range of sensitive data:

  • Browser Data: Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, Orion.
  • Cryptocurrency Wallets: Both browser extensions (MetaMask, Phantom) and desktop applications (Exodus, Atomic Wallet, Ledger Live, Electrum, Trezor Suite).
  • Password Managers: 1Password, Bitwarden, LastPass browser extensions.
  • iCloud Account Data and Telegram session data.
  • Developer-related configuration files.

It also includes a filegrabber module, searching Desktop and Documents for sensitive file types (like .docx, .xlsx, .json, .wallet, .rdp) under 2MB, and PNGs up to 6MB, with a total collection cap of 150MB. If the staged data gets too big, it splits it into 70MB ZIP chunks for upload.

Wallet Hijacking and Persistence

The SHub macOS infostealer doesn't stop at just stealing data. It can also hijack cryptocurrency wallet applications. It terminates legitimate wallet processes, downloads a malicious app.asar file from its C2 server, and replaces the legitimate core application file. To make sure this modified app runs, it clears quarantine attributes (xattr -cr) and uses ad hoc code signing, effectively bypassing Gatekeeper alerts.

For persistence, it installs a script impersonating a Google software update, creating a directory structure like ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/. It then registers this script using a LaunchAgent (com.google.keystone.agent.plist), set to execute every minute. This LaunchAgent acts as a beacon, sending system information to the C2 and ready to decode and execute further payloads received from the C2, then deleting the payload file. It's a full-blown backdoor with extended remote access capabilities.

The Impact: Beyond a Simple Click

The practical impact of the SHub macOS infostealer is significant. Any macOS user who falls for this sophisticated social engineering could lose their browser credentials, cryptocurrency, password manager data, and even their iCloud and Telegram sessions. The ability to replace core wallet application files and bypass Gatekeeper means attackers aren't just stealing data; they're taking control of critical financial tools.

This isn't just about a user clicking a bad link. It's about a threat actor actively adapting to Apple's security improvements. When Apple rolls out mitigations for Terminal-based attacks, the SHub macOS infostealer pivots to AppleScript. That's the problem: the attackers are agile. The multi-layered brand spoofing (Apple, Google, Microsoft) makes it even harder for a user to spot the deception, even if they're security-conscious.

The Response: Vigilance and Verification

SentinelOne's discovery of the SHub macOS infostealer is a critical piece of the puzzle, giving us the technical details we need to understand this threat. But what do we do about it?

First, user education is non-negotiable. We need to keep hammering home the importance of verifying official system update procedures. Apple updates come through System Settings, not random pop-ups or Script Editor prompts. For third-party apps, always download directly from the developer's official website or the App Store. Never trust a link from a search result or an unsolicited message, especially if it's for a popular app.

Second, for organizations, monitoring for suspicious outbound traffic post-Script Editor execution is key. Also, scrutinize any new LaunchAgents or related files, especially those impersonating trusted vendors like Google. This is where solid Endpoint Detection and Response (EDR) solutions become essential. They can spot the anomalous behavior of a script trying to establish persistence or exfiltrate data, even if the initial execution bypassed some built-in macOS defenses.

The shift from previous "ClickFix" Terminal-based attacks to more sophisticated methods like AppleScript spoofing shows that threat actors are constantly evolving. We can't afford to get complacent. SHub macOS infostealer proves that macOS is a prime target, and defense requires a multi-layered approach that combines user awareness with advanced technical controls.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.