SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

This report details SentinelOne's analysis of SHub 'Reaper', a macOS infostealer that uses fake WeChat/Miro installers and a typo-squatted domain to deliver AppleScript payloads via the applescript:// scheme; it harvests browsers, keychain, cryptocurrency wallets, and documents, performs chunked uploads to a C2, installs a persistent GoogleUpdate LaunchAgent backdoor, and uses anti-analysis techniques—the report includes network and filesystem IOCs, build identifiers, and recommended detection points.