{ "name": "macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain", "slug": "macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain", "description": "A new variant of SHub Stealer dubbed 'Reaper' targets macOS users through fake WeChat and Miro installers, employing sophisticated multi-stage delivery chains that spoof Apple, Google, and Microsoft services. The malware leverages the applescript:// URL scheme to bypass Terminal-based defenses, conducting extensive fingerprinting and anti-analysis checks before execution. Reaper harvests browser credentials, cryptocurrency wallets, developer configurations, iCloud data, and Telegram sessions. It includes an AMOS-style document theft module targeting files under 150MB with chunked uploads. The variant establishes persistence through a fake Google Software Update LaunchAgent and installs a backdoor for remote code execution. The infection specifically avoids CIS regions and employs extensive anti-analysis techniques including WebGL fingerprinting, VM detection, and DevTools interference.", "published": "2026-05-18T17:52:51.475000+00:00", "created_at": "2026-05-18T18:26:23.616000+00:00", "modified_at": "2026-05-18T16:26:23+00:00", "created_at_opencti": "2026-05-18T18:26:23.616000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "amos", "atomic macos stealer", "backdoor", "credential harvesting", "cryptocurrency theft", "infostealer", "macos", "persistence mechanism", "shub reaper", "shub stealer", "social engineering", "typosquatting" ], "tags": [ "2026-05-18", "amos", "atomic macos stealer", "backdoor", "credential harvesting", "cryptocurrency theft", "infostealer", "macos", "persistence mechanism", "shub reaper", "shub stealer", "social engineering", "typosquatting" ], "related_entities": { "indicators": [ { "id": "dd3e2668-b782-4dae-a6b0-2d28d8f5cd7d", "name": "http://hebsbsbzjsjshduxbs.xyz/api/bot/heartbeat" }, { "id": "2dc8c28c-aa69-4e8b-a5ed-e0141935e488", "name": "hebsbsbzjsjshduxbs.xyz" }, { "id": "5f115fcf-63ba-47a4-8bfb-ab43c763dc02", "name": "qq-0732gwh22.com" }, { "id": "c2922ec1-7a0d-4b78-982b-f39012435232", "name": "http://hebsbsbzjsjshduxbs.xyz/gate/chunk" }, { "id": "1e76b040-7aa1-42ef-9cb2-7d6737bbb602", "name": "mlroweb.com" }, { "id": "4b6c56ad-6dad-496a-975f-6deefaaa0358", "name": "http://hebsbsbzjsjshduxbs.xyz/api/debug/event" }, { "id": "9a91d167-68f5-4028-8af7-e87d076ff53c", "name": "http://mlcrosoft.co.com" }, { "id": "09774efc-8a4d-4624-85be-34d80c1ed242", "name": "http://hebsbsbzjsjshduxbs.xyz/gate" } ], "attack_patterns": [ { "id": "8c79f5d6-60f2-4b5c-9b44-3e00ce9294d0", "name": "T1074.001" }, { "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd", "name": "T1036.005" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "d3254e3b-07e6-4420-96e0-2e107ce17712", "name": "T1102.001" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "46ecf5ab-5539-4a8a-aa5b-c180d0ae5a67", "name": "T1059.002" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "880d45b0-e336-4f1a-8893-2796195f5500", "name": "T1543.001" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e", "name": "T1567.002" }, { "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b", "name": "T1560.001" }, { "id": "2e0c6db7-16a7-4bf6-992e-263474014fce", "name": "T1059.004" }, { "id": "759720f6-8f0f-4017-ab21-7ac30d0bf46f", "name": "T1555.001" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "malware": [ { "id": "0cf92ddd-6dea-4a72-bd56-e33d80375a45", "name": "Atomic macOS Stealer", "slug": "atomic-macos-stealer" }, { "id": "ed4cbf67-af05-4eb5-9a37-b51f6496b183", "name": "AMOS", "slug": "amos" }, { "id": "48909b82-8914-4e8e-b6a2-790af38551f9", "name": "Shub Stealer", "slug": "shub-stealer" }, { "id": "9a9a19a9-a39b-4ae6-a731-0f00569c17c4", "name": "SHub Reaper", "slug": "shub-reaper" } ], "observables": [ { "id": "040f0d20-407d-4919-9202-5dc95356e61c", "name": "qq-0732gwh22.com" }, { "id": "5420fa97-2e81-450a-9166-3c97b98ef5d8", "name": "mlroweb.com" }, { "id": "1ee7f646-ad75-4cbb-a1ff-bd6f14ac9401", "name": "hebsbsbzjsjshduxbs.xyz" }, { "id": "6724e92d-32ea-4a22-9eec-29120896d019", "name": "http://hebsbsbzjsjshduxbs.xyz/gate/chunk" }, { "id": "be3f22fa-28af-49ab-a831-c6cb5ef23aad", "name": "http://mlcrosoft.co.com" }, { "id": "8bf7bf44-21b2-473e-960f-78dbe2705a50", "name": "http://hebsbsbzjsjshduxbs.xyz/gate" }, { "id": "685b1404-ef63-45ff-ab09-a50a6ff2aa84", "name": "http://hebsbsbzjsjshduxbs.xyz/api/debug/event" }, { "id": "20800388-c555-4c90-a2f6-73e4341ffadd", "name": "http://hebsbsbzjsjshduxbs.xyz/api/bot/heartbeat" } ], "others": [ { "id": "", "name": "hebsbsbzjsjshduxbs.xyz" }, { "id": "", "name": "qq-0732gwh22.com" }, { "id": "", "name": "mlroweb.com" } ] }, "external_refs": [ { "id": "73174b39-38dd-4524-8623-bcedac7a6a3a", "standard_id": "external-reference--040b4e02-15b9-5e0c-a1f7-14c3ae8375bf", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a0b51f39a34872f37d37c9f", "hash": null, "external_id": "6a0b51f39a34872f37d37c9f", "created": "2026-05-18T18:26:20.731Z", "modified": "2026-05-18T18:26:20.731Z", "createdById": null }, { "id": "4bb5ae34-2416-4142-bcfd-65dc93b83b75", "standard_id": "external-reference--64bedacc-0079-57cb-a294-42ec83559c3f", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/", "hash": null, "external_id": null, "created": "2026-05-18T18:26:20.754Z", "modified": "2026-05-18T18:26:20.754Z", "createdById": null } ] }