Reaper adjustments ways by shifting execution into Apple’s Script Editor, sidestepping the protections Apple lately launched to curb Terminal-based assaults. The tip objective, nonetheless, stays credential theft, pockets compromise, and protracted entry.
“The SHub Reaper variant represents a noteworthy evolution in macOS infostealers by shifting away from commonplace social engineering ways that require victims to manually paste instructions into the Terminal,” mentioned Jason Soroko, senior fellow at Sectigo. “This strategy lowers the technical barrier for an infection and demonstrates a strategic pivot towards abusing native utility handlers quite than relying purely on consumer error.”
Faux Apple updates run hidden AppleScript
The assault begins with customers pulled onto malicious web sites displaying faux Apple security alerts. The pages then provoke a ClickFix workflow by instructing customers to launch a supposed repair via the Script Editor, as an alternative of the Terminal.
Relatively than getting the consumer to repeat and paste shell instructions like earlier, Reaper now abuses the applescript:// URI handler to pre-populate malicious AppleScript inside Script Editor. The sufferer is then socially engineered, via the ClickFix, into operating the script themselves.
