Skip to main content
HashnodeRelayShield Security IntelligenceRelayShield Security Intelligence

Command Palette

Search for a command to run...

Reaper Malware Blog

Updated
4 min read
Reaper Malware Blog
R
RelayShieldAdmin
Security intelligence at the carrier and identity layer — SIM swap detection, breach monitoring, wallet risk, and threat intelligence via REST API and MCP.

If Your Mac Runs Ledger, MetaMask, or Exodus, Reaper Is Coming for Your Wallet

A new macOS infostealer called Reaper is targeting crypto users through fake download pages for apps like WeChat and Miro. It's the third campaign of its kind in under two months. If you use a hardware or software wallet on a Mac, this is active right now.

The Attack Starts With a Domain That Looks Real

Reaper spreads through typosquatted domains which are fake websites with names close enough to legitimate ones that most users don't notice. One confirmed example: mlcrosoft[.]co[.]com. You're looking for WeChat or Miro, you find a result that looks plausible, and you click download.

From there the attack is unlike anything your antivirus is watching for.

Why Apple's Terminal Protection Doesn't Stop It

Most macOS malware tries to run code through Terminal and Apple has built progressively stronger warnings around that. Reaper bypasses it entirely by using Script Editor instead.

The attack uses an applescript:// URL scheme to open Apple's own Script Editor application with malicious code pre-loaded. The code is hidden using ASCII art and whitespace formatting. It looks like a blank screen to a casual glance. The user sees a play button. They click it. The attack runs.

No Terminal. No scary permission dialogs, just a play button in what looks like a developer tool.

What Gets Stolen

Once executed, Reaper goes after everything:

Crypto wallets and apps:

Ledger Live

Trezor Suite

Exodus

MetaMask browser extension

Browser credentials:

Saved passwords in Chrome, Firefox, and Edge

1Password browser extension

Documents:

Every .wallet, .keys, .pdf, .docx, and .xlsx file on your Desktop and Documents folders compressed into 70MB chunks and exfiltrated silently

Persistence: Reaper installs a backdoor disguised as a "Google Software Update" directory. It survives reboots. It survives app reinstalls. It stays until you find it and remove it.

A fraudulent Apple security update dialog captures your macOS password for good measure. By the time Reaper is done, the attacker has your wallet files, your browser credentials, your documents, and your system password.

The Kill-Switch That Tells You Who's Behind It

Reaper includes one revealing detail: if your keyboard is set to Russian, the malware stops and exits cleanly. This is a standard precaution used by Eastern European cybercrime groups to avoid prosecuting their own nationals. It doesn't confirm attribution, but it narrows the geography considerably.

Three Times in Two Months

This is the third campaign using the same automated AppleScript approach against macOS crypto users in under 60 days. The tooling is being refined and redeployed. The infrastructure rotates new typosquatted domains or new fake app lures but the core mechanism is the same.

The campaign isn't slowing down.

What RelayShield Catches

Two detection points in this attack chain:

Domain lookalike monitoring flags typosquatted domains mimicking your software vendors. For example, mlcrosoft[.]co[.]com style registrations appear in domain databases within hours of registration, before most users encounter them. If a domain mimicking WeChat, Miro, Ledger, or any of your monitored software appears, you get an alert.

Infostealer monitoring flags your email addresses and wallet addresses the moment they appear in underground credential markets, typically within hours of a successful infection. That's your response window: rotate credentials, revoke sessions, move funds to a clean wallet, before the attacker acts on what they've stolen.

What to Do Right Now

Whether or not you've been hit:

Only download apps from the official App Store or the developer's verified website. Bookmark the real URLs now

Search your Mac for a folder called "Google Software Update" in unexpected locations. Legitimate Google updaters live in /Library/Google/, not elsewhere. An unexpected instance is Reaper's backdoor

Check your active browser sessions: Google, MetaMask, and Exchange accounts should reflect only devices you recognise

Move crypto to a hardware wallet: If it's currently in a software wallet on a compromised or potentially compromised machine, do this from a clean device

If you're a Crypto Shield subscriber, your infostealer monitoring is already running. Any credential exposure from this campaign that hits known databases will trigger an alert automatically.

RelayShield Crypto Shield monitors your wallets across Ethereum, Base, Polygon, Arbitrum, Optimism, Solana, and TON, your email addresses against breach and infostealer databases, and incoming transactions for address poisoning and honeypot risk. Alerts via Telegram — no app, no dashboard.

[Start monitoring → @RelayShield_bot | Full Crypto Shield → crypto.relayshield.net]

Source: Cryptopolitan

#cybersecurity#macos#crypto-security#infostealer#web3

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

R

RelayShield Security Intelligence

6 posts