top of page

Reaper Malware Exploits Spoofed Microsoft Domain in macOS Password Theft Campaign

  • May 19
  • 3 min read

Key Findings


  • SentinelLABS discovered a new macOS infostealer variant called Reaper that bypasses Apple's recent security patches in macOS Tahoe 26.4

  • Attack chain begins with fake download pages for WeChat or Miro using typo-squatted domain mlcrosoft.co.com

  • Malware uses Script Editor with hidden commands disguised as ASCII art to trick users into executing malicious code

  • Reaper steals passwords, browser data, cryptocurrency wallets, and financial documents before establishing persistent backdoor access

  • Command and control server at hebsbsbzjsjshduxbs.xyz receives stolen data and sends new commands every 60 seconds


Background


Reaper is the latest evolution of SHub, an infostealer family that continues to grow more sophisticated. SentinelOne's research team identified this variant as a serious threat because it circumvents Apple's defenses that were specifically designed to stop similar attacks. The malware represents a shift in tactics by SHub operators, who are now combining credential theft, file exfiltration, and persistent backdoor installation into a single package.


How the Attack Begins


The infection starts innocuously with users visiting what appear to be legitimate download pages for popular workplace applications. The attackers registered mlcrosoft.co.com, a domain that closely resembles Microsoft's official site. Before delivering the payload, hidden JavaScript code runs a reconnaissance check on the target machine, looking for specific software, IP addresses, location data, and security tools. Notably, the malware only proceeds if the user is located outside Russia, suggesting operators may be limiting their exposure in certain regions.


Social Engineering and Initial Compromise


Once reconnaissance confirms a suitable target, the victim is directed to open Mac's built-in Script Editor through a specially crafted link. This is where the deception deepens. The malicious commands are embedded in the script but hidden from view using blank lines and ASCII text art, making the code invisible to someone casually reading the window. When the user clicks Run, a fake pop-up appears claiming to be an official Apple security update for XProtectRemediator. Instead of updating the system, it downloads files using the curl tool and requests the user's main login password through what looks like a legitimate authentication dialog.


Data Theft Operations


Once the attacker obtains the login password, Reaper begins systematic data extraction. It targets every major browser installed on the system—Firefox, Chrome, Edge, Brave, Opera, Vivaldi, Arc, and Orion—to steal saved passwords and authentication tokens. Password managers like 1Password and cryptocurrency wallets like MetaMask are also targeted. The malware goes further by searching Desktop and Documents folders for financial or business documents under 2MB and images ranging up to 150MB. Files exceeding size limits are automatically compressed into 70MB chunks before exfiltration. Particularly alarming is Reaper's capability to replace legitimate cryptocurrency wallet applications with fake versions, allowing attackers to monitor all future wallet activity.


Persistence and Ongoing Access


The most concerning aspect of Reaper is how it establishes permanent access to compromised machines. The malware creates a hidden folder structure that mirrors legitimate Google Software Update paths, making it nearly invisible to casual inspection. Every 60 seconds, this hidden component communicates with the attacker's command and control server. If the server responds with new instructions, the script executes them with the user's high-level privileges. This setup transforms a one-time theft into an ongoing relationship where attackers can send new commands, install additional malware, or pivot to other targets on the network.


Recommendations for Users


Mac users should immediately close Script Editor if any website attempts to open it through a link. Downloads should only come from official app stores or verified vendor websites. The prevalence of typo-squatted domains means careful attention to URLs is essential. Given Reaper's persistence mechanisms, users who suspect infection should consider full system restoration rather than relying on standard removal tools.


Sources


  • https://hackread.com/reaper-malware-fake-microsoft-domain-macos-passwords/

  • https://x.com/HackRead/status/2056432625301000492

  • https://healsecurity.com/new-reaper-malware-uses-fake-microsoft-domain-to-steal-macos-passwords-hackread/

  • https://x.com/Dinosn/status/2056449124384334306

  • https://www.socdefenders.ai/item/cd5c2e74-5351-4856-8dae-a328a6d336d0

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page