SHub Stealer Malware Targets Browsers & Crypto Wal
A new, more sophisticated variant of the SHub Stealer malware poses a significant threat to Mac users. This iteration employs advanced, harder-to-detect techniques than its predecessors. The updated...
A new, more sophisticated variant of the SHub Stealer malware poses a significant threat to Mac users. This iteration employs advanced, harder-to-detect techniques than its predecessors.
The updated build, now called Reaper, spreads through fake websites that impersonate popular software, luring unsuspecting users into a trap.
Once inside a system, it can silently drain everything from browser credentials to cryptocurrency wallets before the victim ever notices anything is wrong.
What makes this version particularly worrying is the attack method it uses to get onto your Mac. Instead of relying on the old trick of asking users to copy and paste a script into their Terminal, Reaper automates the process entirely.
It uses a fake webpage to silently open your Mac’s Script Editor, pre-loaded with malicious code, and all a user has to do is click one button to unknowingly launch the infection.
Researchers at Moonlock identified and reported on this new SHub Reaper campaign, noting this is already the third time in under two months that this automated ClickFix technique has appeared across separate macOS malware campaigns.
Moonlock said in a report shared with Cyber Security News (CSN) that the trend of automating ClickFix is picking up speed among macOS threat actors who tend to copy proven tactics from one another.
The campaign also goes to great lengths to appear trustworthy. Attackers spoof well-known brands and host malware payloads on domains that look nearly identical to legitimate ones.
They pass off malware downloads as Apple security updates and use fake Google Software Update pathways to plant persistent backdoors deep inside the victim’s Mac.
This level of deception is what makes SHub Reaper stand out even among other Mac stealers. By blending into the familiar look of trusted software tools and brands, the malware significantly lowers a user’s guard.
The result is a stealthy, multi-stage attack that ends with stolen data, drained wallets, and an attacker-controlled backdoor running quietly in the background.
SHub Stealer Targets Browsers and Crypto Wallets
The Reaper build is a significant upgrade over previous versions of SHub Stealer. Earlier builds could already steal browser data, macOS Keychains, iCloud account data, and Telegram session information.
The new version goes much further, now targeting Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion browsers, along with their extensions.
What truly sets Reaper apart is how it handles cryptocurrency. Rather than installing a fake wallet app, Reaper digs into the code of legitimate desktop wallet applications already on the Mac and quietly modifies them to steal funds.
Targeted wallets include Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite. The malware also carries an AMOS-style Filegrabber that hunts through Desktop and Documents folders for valuable files, including .docx, .wallet, .key, .csv, .xls, and .json formats.
Once it collects everything, Reaper bundles the stolen data and quietly sends it to an attacker-controlled server using curl, a legitimate macOS command. Before exiting, it installs a disguised backdoor that registers itself as a Google update service to survive reboots and remain hidden.
How to Protect Yourself From SHub Reaper
Staying safe from Reaper starts with understanding how it gains entry. The malware relies heavily on social engineering, tricking users into doing something that appears normal but actually hands over system access.
If a webpage suddenly opens your Script Editor or Terminal and asks you to click Play, close that window immediately. That is not how legitimate software behaves.
Users should never enter their Mac system password into a pop-up that appears right after installing software. If any program asks for your password the moment after installation, treat that as a clear warning sign.
For those holding cryptocurrency, moving funds to an offline cold wallet or a separate dedicated device is far safer than keeping wallets on your primary Mac.
Keeping your operating system and security software consistently updated gives your defenses a much better chance of catching new stealer variants before they cause lasting damage.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | mlcrosoft[.]co[.]com | Typo-squatted Microsoft domain used to host malware payloads |
| URL | support.apple[.]com/downloads/xprotect-remediator-150.dmg | Fake Apple security update download link used to distribute malware |
| URL | hebsbsbzjsjshduxbs[.]xyz/gate/chunk | Attacker-controlled C2 server endpoint used to exfiltrate stolen data |
| File Path | ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ | Directory created by Reaper to hide its backdoor as a fake Google update |
| File Name | GoogleUpdate | Encoded Base64 bash script planted as part of the persistence backdoor |
| LaunchAgent | com.google.keystone.agent.plist | LaunchAgent property list used to register and persist the backdoor |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.