A new form of malware known as Reaper is targeting macOS users. It spreads through fake download pages for apps like WeChat and Miro. Once installed, it steals data from crypto wallets and saved browser passwords.
Reaper is a more advanced version of an earlier trick. That older method tricked people into pasting malicious commands into Terminal. Apple fixed that vulnerability in a recent macOS update. But Reaper found a workaround by using a different built-in Apple tool.
The fake download sites use an applescript:// URL to trigger Apple’s Script Editor. The malicious code is hidden from view. Attackers use ASCII art and whitespace to conceal it. If a user clicks the play button in Script Editor, they unknowingly run hidden commands.
How Script Editor becomes a weak link
Script Editor comes preinstalled on every Mac. Most users do not associate it with viruses. The attack starts on fake domains that look real. Security researchers found infrastructure hosted on typosquatted Microsoft domains. One example is mlcrosoft[.]co[.]com.
After the script runs, a fake Apple security update dialog appears. It asks for the victim’s computer password. Reaper then checks the system’s keyboard layout. If the keyboard is set for Russian, the malware stops. If not, it activates.
Fake WeChat code opens in Script Editor as part of the deception.
Which wallets and data are targeted
Reaper targets desktop crypto applications. These include Ledger Live, Trezor Suite, and Exodus. The malware modifies the internal code of crypto wallets. This lets it intercept future transactions and redirect funds.
The stealer also harvests saved credentials from Chrome, Firefox, and Edge. It pulls data from browser extensions like 1Password and MetaMask. Files with extensions like .docx, .pdf, .xlsx, .wallet, and .keys are also targeted. These files, found in Desktop and Documents folders, get compressed into 70MB ZIP chunks and uploaded to an external command-and-control server.
For persistent access, Reaper installs a backdoor disguised as a Google Software Update directory.
Recent trends and broader campaigns
Reaper is the third campaign in about two months to use this automated AppleScript approach. That is according to an analysis by security firm Moonlock. Microsoft’s Defender Security Research Team also documented related campaigns. Those involved fake macOS troubleshooting guides on Medium, Craft, and Squarespace. Cryptopolitan previously reported on this.
Those earlier campaigns used the same ClickFix method. They delivered AMOS, Macsync, and SHub Stealer through Terminal commands. Genuine wallet apps were deleted and replaced with malicious versions.
Users should double-check download links before installing anything new. If a pop-up unexpectedly asks for your Mac password, do not enter it. A good security tool can catch obfuscated scripts before they cause damage. If a website ever tells you to open Script Editor, close the tab.
