Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Before finishing its initial run, Reaper establishes persistence using a directory structure built to mimic Google’s legitimate Keystone update service. It places a base64-decoded bash script named GoogleUpdate... then registers a LaunchAgent using a property list named com.google.keystone.agent.plist . This causes the script to execute silently every 60 seconds in the background.
This ensures the attacker can remotely execute code on the backdoored machine. If the attacker-controlled server sends a “code” payload, the script decodes it, writes it to a hidden file and executes the code with the users’ privileges before deleting the file.
The team confirmed the campaign is hosted on a typo-squatted Microsoft domain and uses AppleScript to bypass standard detection methods. Once a user is tricked into running the fake installer, the malware uses AppleScript to deliver the initial shell script.
It places a base64-decoded bash script named GoogleUpdate inside ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ , then registers a LaunchAgent... If the server returns a “code” payload, the script decodes it, writes it to /tmp/.c.sh , runs it with the current user’s privileges, and then deletes it.
Researchers said this variant shifts away from standard ClickFix social engineering techniques... and instead uses the applescript:// URL scheme to launch macOS Script Editor with a malicious payload already loaded... Once the user clicks ‘Run’ in Script Editor, the hidden command retrieves the remote AppleScript and executes it.
Before finishing its initial run, Reaper establishes persistence using a directory structure built to mimic Google’s legitimate Keystone update service. It places a base64-decoded bash script named GoogleUpdate... then registers a LaunchAgent using a property list named com.google.keystone.agent.plist . This causes the script to execute silently every 60 seconds in the background.
Before finishing its initial run, Reaper establishes persistence using a directory structure built to mimic Google’s legitimate Keystone update service. It places a base64-decoded bash script named GoogleUpdate... then registers a LaunchAgent using a property list named com.google.keystone.agent.plist . This causes the script to execute silently every 60 seconds in the background.
A victim may encounter a counterfeit installer for a well-known app such as WeChat or Miro, delivered through a typo-squatted domain that impersonates Microsoft infrastructure. The payload is then executed under the guise of an Apple security update, and persistence hides within a directory imitating Google’s own software update system.
If the server returns a “code” payload, the script decodes it, writes it to /tmp/.c.sh , runs it with the current user’s privileges, and then deletes it.
Reaper checks the victim’s local settings by querying the com.apple.HIToolbox.plist file to detect Russian-language input sources. If the host appears to be in a Commonwealth of Independent States region, the malware sends a cis_blocked event to its command and control server and exits.
When wallet applications are present, hijacks them by terminating their processes and replacing the legitimate core application file with a malicious one called app.asar downloaded from the command-and-control (C2) server.
Upon launch, it prompts the user for their macOS password, which can then be used to access Keychain items, decrypt credentials, and access protected data. | it prompts the user for their macOS password, which can then be used to access Keychain items, decrypt credentials, and access protected data
the malicious websites fingerprint the visitor's device... and enumerate installed browser extensions for password managers and cryptocurrency wallets
Reaper includes a FileGrabber routine that scans the Desktop and Documents folders for files likely to hold business or financial value.
Reaper checks the victim’s local settings by querying the com.apple.HIToolbox.plist file to detect Russian-language input sources. If the host appears to be in a Commonwealth of Independent States region, the malware sends a cis_blocked event to its command and control server and exits.
It targets extensions such as .docx , .wallet , .key , .json , and .rdp , along with images under 1MB and documents under 5MB, capping total collection at 100MB.
Files are staged in /tmp/shub_random/ before being split into 10MB chunks and uploaded to the attacker’s server via curl.
The script functions as a beacon, sending system details to the C2’s /api/bot/heartbeat endpoint.
Every time the LaunchAgent fires, the script sends system details to the attacker’s /api/bot/heartbeat endpoint. If the server returns a “code” payload, the script decodes it... Reaper includes a FileGrabber routine... uploaded to the attacker’s server via curl.
Otherwise, it retrieves a second AppleScript containing the core extraction logic and runs it in memory via osascript, never directly touching the local disk. If the server returns a “code” payload, the script decodes it, writes it to /tmp/.c.sh , runs it with the current user’s privileges, and then deletes it.
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.