A new macOS malware called Reaper spreads by disguising itself as fake download pages for WeChat and Miro, triggering the system’s built-in script editor and hiding malicious code. Reaper targets desktop crypto wallets such as Ledger Live, Trezor Suite, and Exodus, modifying wallet-internal code to intercept future transactions and redirect funds.
Reaper’s Attack Mechanism: The Script Editor Replaces the Terminal
Reaper’s technical feature is leveraging the system’s pre-installed script editor rather than the terminal (recent macOS updates by Apple have fixed terminal-related vulnerabilities). Attack flow: a fake download website uses an AppleScript applescript:// URL to trigger the script editor; malicious code is hidden using ASCII characters and spaces; after the user clicks the play button, it executes automatically; immediately afterward, a forged Apple security update dialog pops up, prompting the user to enter the computer password.
Before stealing, Reaper checks the system keyboard layout—if it is configured for Russian, the malware stops running; otherwise, it launches a data-stealing module that mimics Atomic macOS Stealer (AMOS). Security researchers found typo-squatted faux Microsoft domains (mlcrosoft[.]co[.]com) in the infrastructure.
Attack Targets and Scope of Data Leakage
Reaper’s confirmed attack target scope includes:
Crypto desktop wallets: Ledger Live, Trezor Suite, Exodus (modify internal code to intercept transactions)
Browser credentials: passwords stored in Chrome, Firefox, Edge; browser extensions such as 1Password and MetaMask
File types: .docx, .pdf, .xlsx, .wallet, .keys in desktop and document folders (compressed into 70MB ZIP chunks and uploaded to an external command-and-control server)
Persistence mechanisms: a backdoor disguised as a Google software update directory
Common Questions
What is Reaper’s infection path?
According to reports from Cryptopolitan and Moonlock, Reaper spreads by posing as fake download pages for WeChat and Miro. The website automatically triggers the system script editor via an AppleScript URL, preloading hidden malicious code into it; after the user clicks the play button in the script editor, the attack executes, followed by a forged Apple security update dialog that tricks the victim into entering the computer password.
How does Reaper modify crypto wallets?
Reaper targets desktop crypto wallet applications such as Ledger Live, Trezor Suite, and Exodus, modifies their internal program code so that future cryptocurrency transactions are intercepted and redirected to an attacker-controlled address without the victim’s knowledge.
How can macOS users protect themselves from Reaper?
Security experts recommend: verify the source of the download link before installing any new program; do not enter the computer password in unexpectedly appearing pop-up windows; if a website prompts you to open the script editor, immediately close that tab; use security tools that can intercept obfuscated scripts.
