New SHub Stealer Variant Targets Major Browsers and Crypto Wallets

Reaper is an upgraded macOS stealer (new SHub variant) distributed via spoofed download pages that coax users into opening malicious Apple Script Editor content; a single click runs multi-stage malware that exfiltrates browser credentials, Keychain and iCloud tokens, documents, and cryptocurrency wallets, and even modifies wallet application files to siphon funds. The campaign uses persistence via a LaunchAgent, anti-analysis checks (e.g., aborting on Russian keyboard layouts), and hosts payloads on typo-squatted or spoofed domains; SentinelOne documented the wave and recommended user caution, verification of downloads, and endpoint protection.