macOS Malware Uses Fake Google Update for Persistence

A new and sophisticated threat has emerged for macOS users: a variant of the SHub infostealer malware, dubbed “

SentinelOne said in a report shared with Cyber Security News (CSN) that the malware “uses fake WeChat and Miro installers as lures” and that the infection chain shifts its disguise at each stage. The team confirmed the campaign is hosted on a typo-squatted Microsoft domain and uses AppleScript to bypass standard detection methods.

Once a user is tricked into running the fake installer, the malware uses AppleScript to deliver the initial shell script rather than relying on standard ClickFix social engineering.

Fake Google Software Update

This variant bypasses Apple’s Terminal mitigation entirely by routing execution through Script Editor. The malicious command is constructed dynamically and padded with base64-encoded strings, keeping it hidden below the visible portion of the Script Editor window.

Reaper checks the victim’s local settings by querying the com.apple.HIToolbox.plist file to detect Russian-language input sources.

If the host appears to be in a Commonwealth of Independent States region, the malware sends a cis_blocked event to its command and control server and exits.

Otherwise, it retrieves a second AppleScript containing the core extraction logic and runs it in memory via osascript, never directly touching the local disk.

Before finishing its initial run, Reaper establishes persistence using a directory structure built to mimic Google’s legitimate Keystone update service.

It places a base64-decoded bash script named GoogleUpdate inside ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/, then registers a LaunchAgent using a property list named com.google.keystone.agent.plist. This causes the script to execute silently every 60 seconds in the background.

Every time the LaunchAgent fires, the script sends system details to the attacker’s /api/bot/heartbeat endpoint.

If the server returns a “code” payload, the script decodes it, writes it to /tmp/.c.sh, runs it with the current user’s privileges, and then deletes it. This gives the attacker a persistent and trace-free remote execution channel on the compromised machine.

Data Theft and Anti-Analysis Measures

Reaper includes a FileGrabber routine that scans the Desktop and Documents folders for files likely to hold business or financial value.

It targets extensions such as .docx, .wallet, .key, .json, and .rdp, along with images under 1MB and documents under 5MB, capping total collection at 100MB.

Files are staged in /tmp/shub_random/ before being split into 10MB chunks and uploaded to the attacker’s server via curl.

The malware also targets cryptocurrency desktop applications including Exodus, Atomic, Ledger Live, and Trezor Suite, while harvesting browser credentials and developer keystrokes.

It overrides console functions and runs a continuous debugger loop to obstruct security analysis. If a researcher opens DevTools, the page replaces its content with a Russian-language access denied message.

SentinelOne advises users to avoid executing scripts from websites claiming a manual security update is required, as Apple never prompts users to open Script Editor and run commands.

Users should verify URLs carefully and only download software from official developer sites or the Mac App Store.

Defenders should watch for unexpected AppleScript activity, unusual outbound connections after Script Editor runs, and new LaunchAgents in namespaces tied to trusted software vendors.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.