macOS users are facing a new and sophisticated threat as a variant of the SHub infostealer malware, dubbed “Reaper,” has been observed deploying a fake Google Software Update LaunchAgent to maintain persistent access on infected machines.
The malware stays hidden by borrowing the identity of brands that users already trust, making it exceptionally difficult to spot without dedicated security tools.
What makes Reaper especially dangerous is how it shifts its disguise at every stage of the infection chain. A victim may encounter a counterfeit installer for a well-known app such as WeChat or Miro, delivered through a typo-squatted domain that impersonates Microsoft infrastructure.
The payload is then executed under the guise of an Apple security update, and persistence hides within a directory imitating Google’s own software update system. Three globally recognized technology brands are exploited within a single attack chain.
Researchers at SentinelOne identified and analyzed this new Reaper variant, noting it as a continuation of the broader SHub malware family that has grown significantly over the past two years.
SentinelOne said in a report shared with Cyber Security News (CSN) that the malware “uses fake WeChat and Miro installers as lures” and that the infection chain shifts its disguise at each stage. The team confirmed the campaign is hosted on a typo-squatted Microsoft domain and uses AppleScript to bypass standard detection methods.
Once a user is tricked into running the fake installer, the malware uses AppleScript to deliver the initial shell script rather than relying on standard ClickFix social engineering.
Fake Google Software Update
This variant bypasses Apple’s Terminal mitigation entirely by routing execution through Script Editor. The malicious command is constructed dynamically and padded with base64-encoded strings, keeping it hidden below the visible portion of the Script Editor window.
Reaper checks the victim’s local settings by querying the com.apple.HIToolbox.plist file to detect Russian-language input sources.
If the host appears to be in a Commonwealth of Independent States region, the malware sends a cis_blocked event to its command and control server and exits.
Otherwise, it retrieves a second AppleScript containing the core extraction logic and runs it in memory via osascript, never directly touching the local disk.
Before finishing its initial run, Reaper establishes persistence using a directory structure built to mimic Google’s legitimate Keystone update service.
It places a base64-decoded bash script named GoogleUpdate inside ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/, then registers a LaunchAgent using a property list named com.google.keystone.agent.plist. This causes the script to execute silently every 60 seconds in the background.
Every time the LaunchAgent fires, the script sends system details to the attacker’s /api/bot/heartbeat endpoint.
If the server returns a “code” payload, the script decodes it, writes it to /tmp/.c.sh, runs it with the current user’s privileges, and then deletes it. This gives the attacker a persistent and trace-free remote execution channel on the compromised machine.
Data Theft and Anti-Analysis Measures
Reaper includes a FileGrabber routine that scans the Desktop and Documents folders for files likely to hold business or financial value.
It targets extensions such as .docx, .wallet, .key, .json, and .rdp, along with images under 1MB and documents under 5MB, capping total collection at 100MB.
Files are staged in /tmp/shub_random/ before being split into 10MB chunks and uploaded to the attacker’s server via curl.
The malware also targets cryptocurrency desktop applications including Exodus, Atomic, Ledger Live, and Trezor Suite, while harvesting browser credentials and developer keystrokes.
It overrides console functions and runs a continuous debugger loop to obstruct security analysis. If a researcher opens DevTools, the page replaces its content with a Russian-language access denied message.
SentinelOne advises users to avoid executing scripts from websites claiming a manual security update is required, as Apple never prompts users to open Script Editor and run commands.
Users should verify URLs carefully and only download software from official developer sites or the Mac App Store.
Defenders should watch for unexpected AppleScript activity, unusual outbound connections after Script Editor runs, and new LaunchAgents in namespaces tied to trusted software vendors.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence appeared first on Cyber Security News.
