← back to blog
Threat Intel

The “Macs Don't Get Viruses” Era Is Over

0x3 Security — macOS malware and the end of the ‘Macs are safe’ era

For a long time the smug Mac user was right. Windows took the heat for malware; Macs were "safe." It was even sort of true — not because macOS was unbreakable, but because attackers couldn't be bothered to target a small market share when Windows sat there with the vast majority. That math has changed, and in 2026 it's not even close.

The market shifted — and so did the threat actors

Macs are everywhere now. Executives use them, developers love them, crypto users prefer them, agencies run on them. That means high-value credentials, source-code repos, signing certificates, and seed phrases increasingly sit on macOS endpoints — and threat actors followed the money. The result is a thriving macOS malware ecosystem that didn't exist five years ago: AMOS (Atomic Stealer), Shamos, MacSync, Odyssey, and the SHub family are all actively iterating, all targeting Macs, and all run like a business — because they are one.

The new playbook: SHub Reaper

The latest example is a SHub Stealer variant called Reaper, documented by SentinelOne in May 2026. It matters not because it's exotic, but because it shows how mature the macOS attack chain has become:

  • Delivery: fake WeChat or Miro installers, hosted on typo-squatted Microsoft domains (e.g. mlcrosoft.co.com).
  • Execution: instead of the older "paste this into Terminal" ClickFix trick, Reaper uses the applescript:// URL scheme to launch Script Editor pre-loaded with the payload — sidestepping Apple's Tahoe 26.4 mitigations for Terminal-based attacks.
  • Disguise: the execution screen masquerades as an Apple security update (referencing XProtectRemediator). Looks legit. Isn't.
  • Persistence: a fake Google Software Update LaunchAgent (com.google.keystone.agent.plist) that beacons the C2 every 60 seconds and pulls down whatever the attacker wants next.
  • What it steals: browser credentials, Keychain entries, iCloud data, Telegram sessions, developer config files (where API keys hide), and crypto wallets — Exodus, Atomic, Ledger Live, Electrum, Trezor Suite.

The kicker: it doesn't just steal wallet data — it downloads a modified application core and replaces certain wallet apps with trojanized versions that re-steal seed phrases. A telling detail: Reaper checks for a Russian/CIS keyboard and exits immediately if it finds one — the classic tell of Russian-speaking operators. One infection. Three impersonated brands. Apple, Google, and Microsoft, all spoofed in a single chain.

What this means for SMBs

If your business has Macs — and most do, even if it's the founder's laptop and a couple of designers — you can no longer rely on "Macs are safe."

  • Gatekeeper, notarization, and XProtect are not your security program. They protect against unsigned apps launched through Finder. They do nothing once a user pastes a command, clicks an applescript:// link, or runs a payload disguised as an "update."
  • Apple's defenses are reactive. XProtect signatures update, but attackers iterate weekly. Reaper exists because Apple closed the Terminal flow in Tahoe 26.4 — the attackers moved one layer over.
  • Your EDR coverage on macOS is probably weaker than on Windows. Most SMBs tune their EDR for Windows; Mac telemetry runs on defaults. That 60-second LaunchAgent beacon needs someone watching.
  • Crypto holders and developers are highest-value. Wallet seed phrases, GitHub tokens, AWS keys in shell history, signed certs in Keychain — if anyone touches that on a Mac, they're on the target list.

What actually helps

  • Monitor for AppleScript and osascript execution — especially anything launched from Script Editor with no legitimate developer context.
  • Audit LaunchAgents regularly. A fake com.google.keystone.agent.plist from a user who never installed Chrome is a giant red flag.
  • Watch outbound traffic from Script Editor and unusual /tmp/ activity.
  • Lock down installation paths — App Store and direct-from-developer only. No "paste this into Terminal" support article will ever come from Apple.
  • Get your Mac fleet pentested. Most agencies test Windows and skip the Macs — exactly the gap attackers want.

The bottom line

The Mac isn't a security feature anymore. It's just an endpoint — and the people writing malware figured that out two years before most SMBs did. If your security strategy still has "the founders use Macs so we're fine" in it somewhere, retire that line. The attackers already have.

Most agencies pentest Windows and skip the Macs. That's exactly the gap attackers want. We test your Mac fleet — AppleScript abuse, LaunchAgents, and the telemetry nobody's watching.

References & further reading

  1. SentinelOne (May 2026) — SHub Reaper: macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain.
  2. BleepingComputer (May 2026) — SHub macOS infostealer variant spoofs Apple security updates.
  3. Datadog Security Labs (Feb 2026) — SHub Stealer v2.0 / ClickFix / AppleScript payload structure.
  4. Microsoft Security Blog (May 2026) — ClickFix campaign analysis (MacSync, SHub, AMOS).
$ ./read_next
Threat Intel

One AI Tool Breached Vercel: The OAuth Supply-Chain Risk Hiding in Your SMB

It wasn't a zero-day. An employee connected a third-party AI tool to their Google Workspace, and attackers rode that OAuth grant into Vercel's internal systems.