Reaper Stealer: macOS Backdoors and Credential Theft Explained

May 20, 2026 - 03:15
Updated: 2 days ago
0 4
The diagram illustrates how Reaper Stealer exploits macOS Script Editor to steal credentials and maintain persistence

The Reaper stealer variant exploits macOS Script Editor to bypass terminal-based security controls. It steals credentials from password managers and cryptocurrency wallets while spoofing Apple, Microsoft, and Google domains. The malware establishes persistence by mimicking Google Software Update structures to maintain remote access and execute arbitrary code on infected systems.

What is the Reaper Stealer Malware?

The digital threat landscape for macOS users has evolved significantly with the introduction of a new infostealer variant known as Reaper. This malware represents a sophisticated evolution of previous SHub stealer campaigns, specifically designed to target Apple ecosystem users with precision and stealth. Unlike earlier iterations that relied heavily on social engineering tactics within terminal interfaces, Reaper utilizes a different vector to achieve its objectives.

Research by SentinelOne has documented the mechanics of this attack, highlighting how it leverages macOS Script Editor as its primary delivery mechanism. The malware pre-populates this application with malicious payloads, allowing it to execute code without triggering the defenses that Apple implemented in recent updates like Tahoe 26.4. This bypass is critical because it circumvents the standard security protocols that typically monitor command-line activity.

The threat actor behind Reaper aims to harvest sensitive data from victims, including passwords stored in various managers and access keys for cryptocurrency wallets such as MetaMask and Phantom. By spoofing trusted domains belonging to Apple, Microsoft, and Google, the malware instills a false sense of security in users before initiating the theft process. This multi-layered deception strategy makes detection difficult for both end-users and automated monitoring systems.

Reaper does not operate in isolation but rather as part of a broader campaign targeting high-value assets on macOS devices. The inclusion of file-grabbing capabilities allows it to search Desktop and Document folders for business or financial information, similar to functionality seen in Atomic macOS Stealer. This expansion of scope indicates a shift toward more comprehensive data exfiltration strategies by threat actors operating within the Apple ecosystem.

How Does Reaper Bypass Traditional Defenses?

The initial phase of the Reaper attack involves deceptive distribution channels, specifically fake installer websites for tools like WeChat and Miro. These sites are hosted on domains designed to mimic legitimate Microsoft URLs through typo-squatting techniques. For instance, the domain mlcrosoft[.]co[.]com is used to trick users into believing they are visiting an official Microsoft resource.

When a user visits these pages, hidden JavaScript scripts begin collecting extensive information about their system and browser environment. This includes IP addresses, geographic location data, WebGL fingerprinting details, and indicators of virtual machines or VPN usage. The attack logic is geographically constrained; if the victim is located in Russia, the script terminates immediately, suggesting a targeted approach that avoids certain regions.

For users outside the restricted zones, clicking on the fake tool installer triggers a sneaky link that opens Apple’s Script Editor app. This link is heavily padded with ASCII art and fake terms to push the malicious command far below the visible portion of the window when it loads. Users are thus misled into interacting with what appears to be a benign document rather than an executable script.

When the victim clicks “Run” in Script Editor, the hidden command executes the malicious AppleScript and displays a popup message purporting to be a security update for Apple’s XProtectRemediator tool. Instead of updating the security tool, however, it calls a curl command to silently download the shell script. This process asks the victim to enter their login details, which are scraped and used to decrypt various credentials before displaying a fake error message.

This method effectively defeats defenses Apple added to Tahoe 26.4 by avoiding Terminal altogether. By using Script Editor, Reaper exploits a trusted application that is less scrutinized than command-line interfaces. The use of ASCII art padding ensures the malicious code remains hidden from casual inspection, relying on user trust in the familiar interface of macOS applications.

Why Does Crypto Wallet Targeting Matter?

The inclusion of cryptocurrency wallet targeting in Reaper’s arsenal highlights the financial motivations driving this malware campaign. The script searches for several desktop cryptocurrency tools including Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite. If it finds any, it injects the wallet with malware to ensure continued funds theft.

This capability is particularly dangerous because it allows attackers to maintain access to stolen assets over time. By injecting malware directly into the wallet applications, Reaper ensures that even if the initial compromise is discovered and remediated, the attacker can continue to siphon funds from the compromised wallets. This persistence mechanism transforms a one-time theft into an ongoing revenue stream for the threat actors.

The focus on desktop wallets rather than just browser extensions or mobile apps suggests that Reaper targets users who manage significant assets through dedicated software. These users often store larger amounts of cryptocurrency and may have higher security expectations, making them valuable targets for sophisticated malware like Reaper. The theft of these keys can lead to irreversible financial loss for victims.

Furthermore, the ability to decrypt credentials using scraped login details adds another layer of complexity to the attack. Password managers often rely on master passwords to protect stored data. By obtaining these master passwords through deception, Reaper can unlock all associated accounts, including banking information and private keys. This comprehensive access amplifies the impact of the initial compromise significantly.

The targeting of specific wallet applications also indicates a level of sophistication in the malware’s development. Threat actors have likely researched which wallets are popular among macOS users and tailored their injection techniques to work with those specific environments. This precision increases the success rate of the attack and reduces the likelihood of detection by generic antivirus solutions.

How Does Reaper Establish Persistence?

To ensure long-term access to infected devices, Reaper employs a sophisticated backdoor mechanism that mimics legitimate system processes. It creates a directory structure designed to mimic Google Software Update: ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/. This path is chosen because it is associated with a trusted application, reducing the likelihood of scrutiny by users or security tools.

The LaunchAgent executes the target script GoogleUpdate every 60 seconds. The script functions as a beacon, sending system details to the C2’s /api/bot/heartbeat endpoint. This regular communication ensures that the attacker can monitor the status of the infected machine and maintain control over it. The heartbeat mechanism is crucial for keeping the connection alive and allowing for remote command execution.

If the attacker-controlled server sends a “code” payload, the script decodes it, writes it to a hidden file and executes the code with the users’ privileges before deleting the file. This capability allows malware operators to remotely execute arbitrary commands on the backdoored machine. The deletion of the temporary file helps conceal the execution from forensic analysis.

This backdoor gives the malware operators more ways to steal data or pivot to other malicious installs after the initial compromise. By maintaining persistent access, attackers can expand their reach within the victim’s network or extract additional sensitive information over time. The ability to execute code with user privileges means that Reaper can perform actions that would otherwise require manual intervention by the victim.

The use of a hidden file for executing payloads is a common technique in malware development but remains effective because it bypasses many standard monitoring tools. Forensic investigators must look specifically for these temporary files and analyze their contents to understand the full scope of the attack. The regular deletion of these files complicates this process, requiring real-time monitoring or memory analysis to detect.

What Are the Implications for macOS Security?

The emergence of Reaper underscores the need for enhanced security measures on macOS platforms. While Apple has implemented various protections against terminal-based attacks, malware like Reaper exploits alternative vectors such as Script Editor to bypass these defenses. This highlights a gap in current security strategies that relies too heavily on monitoring command-line interfaces.

Users must remain vigilant regarding the sources of software they install and the legitimacy of installer websites. The use of typo-squatting domains by attackers demonstrates how easily trust can be manipulated. Even seemingly reputable tools like WeChat or Miro can be used as bait for malicious downloads. Verifying URLs and checking digital signatures are essential practices to mitigate this risk.

Security professionals should also consider the implications of cryptocurrency wallet targeting in malware campaigns. The injection of malware into desktop wallets requires specialized knowledge and development effort, indicating that threat actors are increasingly focused on high-value financial assets. This trend suggests that future attacks may become more targeted and sophisticated as criminals seek greater returns.

For organizations managing macOS devices, implementing strict application whitelisting and monitoring for unusual activity in Script Editor or hidden directories is crucial. The ability of Reaper to mimic Google Software Update structures means that standard file monitoring tools may miss the backdoor unless specifically configured to look for anomalies in trusted paths.

The broader context of malware evolution on macOS includes other threats such as those targeting developer secrets via fake installers, similar to issues seen with Firefox updates and security patches. This pattern of exploiting user trust in legitimate software distributions is a persistent challenge for the industry. Continuous education and robust technical controls are necessary to address these evolving threats.

Ultimately, the Reaper stealer represents a significant threat to macOS users due to its ability to bypass traditional defenses, steal valuable financial data, and maintain persistent access. Understanding its mechanics is essential for both individual users and security professionals to develop effective countermeasures. The complexity of the attack requires a multi-layered defense strategy that goes beyond simple antivirus protection.

Conclusion

The Reaper stealer malware exemplifies the growing sophistication of threats targeting macOS users. By leveraging Script Editor, spoofing trusted domains, and injecting cryptocurrency wallets, it achieves comprehensive data theft while maintaining persistent access through a sophisticated backdoor. The attack’s reliance on social engineering and technical evasion techniques highlights the need for heightened awareness and robust security practices.

Users must verify software sources carefully and monitor their systems for unusual activity, particularly in trusted applications like Script Editor or Google-related directories. Security professionals should update detection rules to account for these new vectors and consider the financial implications of crypto wallet targeting in malware campaigns. The evolving landscape of macOS threats demands continuous adaptation and vigilance from all stakeholders.

As threat actors continue to refine their methods, the industry must respond with equally advanced defenses. The success of Reaper underscores the importance of not just protecting against known vulnerabilities but also anticipating new attack vectors that exploit user trust and system complexity. Only through proactive measures can macOS users safeguard their data and financial assets against such sophisticated adversaries.

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0
Christopher Holloway

Christopher Holloway is the founder and director of Progressive Robot, a UK-based technology company. A full-stack engineer with more than two decades of experience, he works across PHP development, ecommerce, Linux infrastructure, technical SEO and AI automation, and writes here on technology, AI, hardware and software.

Comments (0)

User