New SHub Malware Variant 'Reaper' Targets macOS Users with Fake Google Update
Severity: High (Score: 64.5)
Sources: Gbhackers, Cybersecuritynews
Published: · Updated:
Keywords: macos, malware, fake, google, update, persistence, software
Severity indicators: malware
Summary
A new variant of the SHub macOS infostealer, named 'Reaper', has been detected using a fake Google Software Update to maintain persistence on infected systems. This malware targets macOS users by masquerading as legitimate software updates, specifically leveraging trusted brands like Google, WeChat, and Miro to deceive users. The Reaper variant enhances the original SHub's capabilities, including stealthier delivery methods and improved data theft mechanisms. Users may unknowingly install this malware, which can lead to significant data breaches. The infection chain is particularly concerning due to its ability to remain hidden and maintain access over time. Current reports indicate that this threat is actively being observed in the wild, affecting a growing number of macOS devices. Key Points: • The 'Reaper' variant of SHub malware uses a fake Google update for persistence. • It targets macOS users by disguising itself as trusted software updates. • The malware enhances data theft capabilities and maintains stealthy access.
Detailed Analysis
**Impact** macOS users are targeted by the Reaper variant of the SHub infostealer, with no specific sectors or geographies detailed. The malware compromises user data through enhanced theft capabilities and maintains persistence, potentially affecting individual and enterprise users relying on macOS systems. The business impact includes unauthorized data access and prolonged system compromise due to stealthy persistence mechanisms. **Technical Details** Reaper uses fake application installers, previously masquerading as WeChat and Miro, now employing a fake Google Software Update LaunchAgent for persistence. The attack vector involves social engineering through trusted brand impersonation to deliver the malware. No CVEs or specific infrastructure details are provided. The malware operates primarily in the persistence and data exfiltration stages of the kill chain. No IOCs are mentioned in the articles. **Recommended Response** Defenders should monitor for suspicious LaunchAgent entries mimicking legitimate software updates, especially those claiming to be Google updates. Endpoint detection rules should focus on identifying fake installers and unauthorized persistence mechanisms on macOS devices. Users must be cautioned against installing software from unverified sources. No patch or CVE mitigation details are available; monitoring and detection are the primary recommended actions.
Source articles (2)
- macOS Malware Abuses Fake Google Update for Persistence — Gbhackers · 2026-05-19
A newly observed variant of the SHub macOS infostealer, dubbed “Reaper,” is expanding its capabilities with stealthier delivery, enhanced data theft, and a persistence mechanism disguised as a legitim… - macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence — Cybersecuritynews · 2026-05-19
macOS users are facing a new and sophisticated threat as a variant of the SHub infostealer malware, dubbed “Reaper,” has been observed deploying a fake Google Software Update LaunchAgent to maintain p…
Timeline
- 2026-05-19 — Reaper variant detected: The new SHub variant 'Reaper' was identified using a fake Google Software Update to maintain persistence on macOS systems.
- 2026-05-19 — Malware delivery method revealed: The Reaper variant employs fake application installers, including WeChat and Miro, to infect users.
Related entities
- Malware (Attack Type)
- Reaper (Apt Group)
- SHub (Malware)
- T1036 - Masquerading (Mitre Attack)
- T1053 - Scheduled Task/Job (Mitre Attack)
- MacOS (Platform)