SHub Reaper macOS infostealer variant
Malware Activity
Summary
Hide ▲
Show ▼
The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It steals browser data, crypto wallet information, and sensitive files from compromised systems while hiding its payload behind a malicious installer flow. The malware also installs LaunchAgent persistence, which can keep attacker access alive after execution.
Related Happenings
QuimaRAT cross-platform Java MaaS remote access trojan
Malware Activity
H score29
First: 06.07.2026 11:13
Last: 06.07.2026 11:13
Sources 1
About this happening:
A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
QuimaRAT cross-platform Java MaaS remote access trojan
Malware ActivityAbout this happening: A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware Activity
H score14
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware ActivityAbout this happening: Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
MacOS.Gaslight AI-analysis evasion malware
Malware Activity
H score22
First: 25.06.2026 19:23
Last: 25.06.2026 19:23
Sources 1
About this happening:
The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
MacOS.Gaslight AI-analysis evasion malware
Malware ActivityAbout this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
Timeline
-
19.05.2026 00:42 2 articles · 1mo ago
SentinelOne identifies SHub Reaper macOS infostealer
Initial DisclosureSentinelOne identified Reaper, a new SHub macOS infostealer variant that uses an applescript:// URL scheme to open Script Editor with malicious AppleScript, shows a fake Apple security update referencing XProtectRemediator, steals browser data and crypto wallets, targets iCloud, Telegram, and developer files, grabs sensitive files from Desktop and Documents, installs LaunchAgent persistence, and can extend access with remote payload execution; the lure uses fake WeChat and Miro installers and the malware exits on systems with Russian keyboard/input.
Show sources
- SHub macOS infostealer variant spoofs Apple security updates — www.bleepingcomputer.com — 19.05.2026 00:42
- SHub macOS infostealer variant spoofs Apple security updates — www.bleepingcomputer.com — 19.05.2026 00:42