macOS Users Targeted by Reaper Malware Campaign Using Fake App Downloads A new malware campaign is targeting macOS users with an updated version of the SHub Stealer, dubbed Reaper, which masquerades as trusted software brands to steal files and cryptocurrency assets. Researchers at SentinelOne first identified the threat, with Moonlock later uncovering additional details on its distribution tactics. The attack leverages a refined ClickFix technique, bypassing Apple’s recent security updates in macOS Tahoe 26.4, which restricted malicious Terminal commands. Instead of relying on Terminal, the malware uses applescript:// links to automatically open macOS Script Editor, where malicious code is hidden beneath ASCII art and excessive whitespace rendering it invisible unless manually scrolled. When executed, the script triggers a fake Apple security update prompt, tricking users into entering their system password. The campaign begins on typosquatted domains, such as mlcrosoft.co.com, impersonating legitimate software like WeChat and Miro. Once installed, Reaper checks the victim’s keyboard language shutting down if set to Russian before activating its data-stealing module, modeled after Atomic macOS Stealer (AMOS). The malware targets documents, PDFs, spreadsheets, and cryptocurrency-related files (e.g., .wallet, .keys), compressing them into 70MB ZIP chunks and exfiltrating them to a command-and-control server at hebsbsbzjsjshduxbs.xyz/gate/chunk. It also steals browser passwords (Chrome, Firefox, Edge) and crypto wallet extensions (1Password, MetaMask), while modifying desktop wallet apps (Ledger Live, Trezor Suite, Exodus) to divert funds. A fake Google Software Update directory is created to maintain persistent backdoor access. This marks the third campaign in two months using this automated distribution method, signaling an escalating threat to macOS users.

New "Matryoshka" Variant of ClickFix Campaign Targets macOS Users with Advanced Evasion Tactics A recently uncovered evolution of the ClickFix social engineering campaign dubbed Matryoshka is employing sophisticated nested obfuscation techniques to compromise macOS systems. The attack leverages typosquatting, fileless execution, and API-gated communication to evade detection while stealing sensitive data, including passwords and cryptocurrency wallet credentials. ### Infection Chain & Attack Flow The campaign begins with typosquatting, where attackers register domains mimicking legitimate sites (e.g., comparisions[.]org instead of comparisons.org). Victims redirected to these fake sites encounter a prompt instructing them to copy and paste a malicious Terminal command, bypassing traditional malware delivery methods. Once executed, the attack unfolds in three stages: 1. Clipboard Injection (Stage 0): The pasted command fetches a rogue shell script (rogue.sh) from an external server, which decodes and decompresses a base64-encoded payload in-memory avoiding disk-based detection. 2. In-Memory Decode & Decompression (Stage 1): The payload is executed without writing to disk, further reducing visibility to security tools. 3. API-Gated Loader (Stage 2): The malware loader communicates with a command-and-control (C2) server (barbermoo[.]xyz) using a custom header (api-key: 5190ef17…) to mask its activity. It suppresses output to evade monitoring. ### Payload Objectives The final payload deploys an AppleScript designed to: - Steal passwords via a fake "System Preferences" phishing dialog if automated credential capture fails. - Target cryptocurrency wallets (e.g., Trezor Suite, Ledger Live) by either replacing the application or tampering with its files to bypass integrity checks. Stolen data is staged in /tmp/osalogging.zip before exfiltration to the attacker’s server. ### Detection & Artifacts While Matryoshka’s fileless execution complicates detection, security teams can monitor for: - Suspicious network activity (e.g., connections to barbermoo[.]xyz or macfilesendstream[.]com). - Unexpected AppleScript executions (osascript). - Unauthorized modifications to crypto wallet applications or staging files in /tmp/. ### Key Indicators - C2 Domain: barbermoo[.]xyz - Typosquatting Domain: comparisions[.]org - SHA-256 Hashes: - 62ca9538889b767b1c3b93e76a32fb4469a2486cb3ccb5fb5fa8beb2dd0c2b90 (sample) - d675bff1b895b1a231c86ace9d7a39d5704e84c4bc015525b2a9c80c39158338 (rogue.sh) - 48770b6493f2b9b9e1d9bdbf482ed981e709bd03e53885ff992121af16f76a09 (inner loader) The Matryoshka variant underscores the growing sophistication of macOS-targeted attacks, combining social engineering with advanced evasion techniques to bypass traditional defenses.

SilabRAT: A Stealthy Crypto-Draining Malware Emerges as MaaS A new remote access trojan (RAT), SilabRAT, has surfaced on dark web forums, designed to bypass passwords and multi-factor authentication (MFA) by hijacking active user sessions to drain cryptocurrency. First advertised in late 2025 by a Russian-speaking threat actor known as o1oo1, the malware is offered as a malware-as-a-service (MaaS) for $5,000 per month. Buyers who often distribute it via email spam and ClickFix lures have reported success rates, with over 90% of infected machines remaining online during month-long campaigns. SilabRAT evades detection by disguising itself as HijackLoader, a known packer, rather than its true payload. Its standout features include: - Hidden Virtual Network Computing (HVNC): Operators control infected machines without visible windows or cursor movement, making activity appear as legitimate user sessions. - Browser-Profile Cloning: The malware copies entire browser profiles including extensions, storage, and device fingerprints to an attacker’s system, allowing stolen sessions to persist even after logouts. A Target.dll module ensures the cloned profile loads seamlessly on the victim’s device. The malware’s primary goal is cryptocurrency theft. A background module scans for wallets upon infection, attempting to crack passwords using credentials harvested from the victim’s browser. It bypasses Chrome’s App-Bound Encryption via a COM-elevation technique and includes a clipboard clipper to swap wallet addresses mid-transaction. Additional capabilities include: - Keystroke logging and clipboard monitoring - Remote desktop access via TightVNC - A UAC bypass previously used by LockBit and BlackMatter - Persistence through registry keys or scheduled tasks Group-IB, which analyzed the threat, warns that SilabRAT’s developer plans to expand its reach by injecting code into Electron-based wallet apps, such as Ledger Live and Trezor Suite. While traditional defenses like MFA and patching can help, the malware’s session-hijacking tactics allow it to bypass even secured logins.

New Windows Stealer "BoryptGrab" Spreads via Fake GitHub Repositories in Large-Scale Campaign A sophisticated malware campaign is distributing BoryptGrab, a Windows information stealer, through fake GitHub repositories masquerading as free tools, game cheats, and cracked software. The operation, active since at least April 2025, leverages SEO-optimized README files to rank malicious repositories near legitimate projects in search results, tricking users into downloading infected ZIP archives. ### How the Attack Works Attackers have created over 100 public GitHub repositories advertising enticing but fake software, including: - "Voicemod Pro download tool" - "Valorant performance boost" - "CS2 skin changers" - Cracked utilities and cheat-style tools Victims are redirected through GitHub-hosted pages containing Russian-language comments and base64/AES-based URL redirection logic, ultimately landing on a fake GitHub download page that dynamically generates a malicious ZIP file. ### Infection Chain & Malware Capabilities Once executed, the malware employs multiple infection vectors: - DLL side-loading (via a malicious `libcurl.dll` that decrypts an embedded launcher using XOR + AES-CBC). - VBS/PowerShell downloaders that bypass security controls (e.g., adding Microsoft Defender exclusions) and fetch the BoryptGrab stealer from attacker-controlled servers. - Golang-based downloader (HeaconLoad), which persists via Run-key registry entries and scheduled tasks, beaconing to command-and-control (C2) servers on port 8088. - TunnesshClient, a PyInstaller-packed backdoor that establishes reverse SSH tunnels, allowing attackers to execute commands, exfiltrate files, or use the victim as a SOCKS5 proxy. Some variants also deliver obfuscated Vidar stealer payloads via an `/api/custom_exe?build={BUILD_NAME}` endpoint, using XOR encryption and dynamic API resolution to evade detection. ### What BoryptGrab Steals The C/C++-based stealer includes anti-VM and anti-analysis checks and targets: - Browser data (Chrome, Edge, Firefox, Opera, Brave, Vivaldi, Yandex, etc.), including stored passwords (bypassing Chrome’s App-Bound Encryption). - Cryptocurrency wallets (Exodus, Electrum, Ledger Live, Atomic, Binance, Trezor, and dozens more). - System details, screenshots, Telegram data, and Discord tokens. - Files with specific extensions (via a "Filegraber" module). - Installed applications and hardcoded timestamps. Collected data is compressed and exfiltrated to attacker servers, often followed by the deployment of TunnesshClient for persistent remote access. ### Attribution & Infrastructure - Russian-language comments and log strings in malware components, along with Russian-hosted IP addresses, suggest a Russian-speaking threat actor, though formal attribution remains unconfirmed. - C2 servers communicate over ports 5466 and 8088, with build names (e.g., Shrek, Leon, CryptoByte, Sonic, Yaropolk) used to track infection branches. The campaign demonstrates a mature, evolving ecosystem, combining SEO poisoning, multi-stage downloaders, and SSH-based backdoors to maximize persistence and data theft.

Trezon, a hardware cryptocurrency wallet, was targeted in a phishing attack through emails as they were sent through one of their opt-in newsletters hosted at MailChimp. A compromised Trezor hardware wallet mailing list was used to send fake data breach notifications to steal cryptocurrency wallets and the assets stored within them. Trezor hardware wallet owners began receiving data breach notifications prompting recipients to download a fake Trezor Suite software that would steal their recovery seeds. However, MailChimp confirmed that their service was compromised by an "insider" targeting cryptocurrency companies.