SHub Reaper Drops Terminal-Based ClickFix for an AppleScript URL Pivot

ClickFix Without a Terminal

ClickFix as a pattern has always been about converting a browser visit into a local execution event. The runtime is incidental. On Windows the runtime has usually been a shell like PowerShell or Run, reached through the clipboard. On macOS the runtime in earlier campaigns was the Terminal, reached through a prompt that told the user to paste a command into it. When Apple's macOS Tahoe 26.4 release added mitigations focused on that path, SentinelOne's reporting shows the operators adapting rather than retreating.

The new variant they document, SHub Reaper, uses the `applescript://` URL scheme to launch macOS Script Editor with malicious AppleScript already loaded into the window. The script is padded above with ASCII art and fake installer text so the malicious command sits below the visible portion of the editor. The user is asked to press Run. The hidden block then fetches a remote AppleScript and executes it. There is no Terminal step in the visible chain, and no shell prompt for the user to find unusual.

The lure layer is also tuned for trust. SentinelOne's report describes typo-squatted Microsoft domains serving fake WeChat and Miro installers, an execution stage disguised as an Apple security update, and persistence concealed under a fake Google Software Update path. Three trusted brands, three different roles in the chain, and one operator behind all of them.

What the Stealer Wants

The stealer targets the most monetizable surfaces on a personal Mac. The published list spans the major browsers, including Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion. It targets cryptocurrency wallet browser extensions like MetaMask and Phantom, password manager browser extensions like 1Password, Bitwarden, and LastPass, and desktop wallet applications such as Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite. After the steal, a persistent backdoor is installed for follow-on access.

The browser and extension list matters because it tells defenders where compromise lands. The cookies, autofill entries, and stored credentials in those browsers are the same identity material that enterprise users carry to work email, SaaS apps, and identity providers. The wallet list matters for the crypto-finance crowd specifically; the password manager extension list matters for everyone else. A successful infection here is not only an account takeover risk for the target, but a session and grant exposure for any service whose cookies live in the affected browser.

Why the Pivot Is Notable

It would be tempting to read the AppleScript route as a niche variation on ClickFix. It is more useful to read it as evidence about what the pattern actually is. ClickFix is the procedural recruitment of the user as the execution engine for the attacker's code. The terminal, the Run dialog, and now the Script Editor are interchangeable parts of the user-as-engine pattern. What stays constant is the procedural shape: a browser context, an instruction to press something local, a script the user neither reads nor recognizes, and an execution event the user experiences as solving a problem the browser said they had.

When platforms harden one path, the pattern moves to the next. macOS Tahoe 26.4's mitigations made the Terminal route less reliable, and the operators picked the most lifelike local runtime that remained. That choice is the part defenders should generalize. A Windows-fleet detection that only watches for browser-to-PowerShell behavior will miss the macOS variant. A macOS-fleet detection built around Terminal launches will miss the Reaper variant. The useful detection target is the procedural chain, not the runtime in fashion this quarter.

Detection Surfaces on macOS

Endpoint visibility on macOS for this chain has a few useful anchors. The first is the launch of Script Editor (`/System/Applications/Utilities/Script Editor.app`) shortly after a browser visit, particularly when the launch is preceded by an `applescript://` URL handler invocation. Few users open Script Editor from a browser link in normal life, and pairing the launch event with a recent browser navigation gives high-fidelity context. EDR products that surface URL-scheme handler activity, parent-process information for app launches, and outbound network activity from `osascript` are the building blocks.

The second is the `osascript` process tree. A genuine workflow that calls `osascript` is usually invoked by another script, by an administrative tool, or by an automation framework. An `osascript` event that is parented by Script Editor and is reaching out to the public internet to retrieve and run more AppleScript is a far more unusual shape, and worth surfacing.

The third is persistence telemetry. The Reaper variant uses a fake Google Software Update path for persistence per SentinelOne's report. A managed estate has a known set of legitimate auto-update mechanisms; new launch agents, login items, or property-list files claiming to be Google's updater on devices that do not have Google's software installed are the kind of anomaly that earns a look.

A clean detection writeup will tie those three anchors into one chain. Browser activity precedes a Script Editor launch via a URL scheme, `osascript` is the executing process, and a persistence artifact appears under a brand identity that does not match the installed software inventory. That sequence is what the Reaper variant looks like in events; the building blocks already exist on managed Macs.

Validation and Awareness

The validation question for red teams is not whether a macOS endpoint can be made to run AppleScript. It can. The useful exercises are whether the EDR detects an `applescript://` triggered Script Editor launch with content fetched at runtime, whether the persistence mechanism leaves a signal that ties back to the original browser visit, and whether the response process recognizes that the malware family is portable across browsers and lures.

The awareness question for users is harder than it was. "Do not paste into Terminal" is a workable rule. "Do not press Run in Script Editor when a website asks you to" is a rule, but one that asks users to recognize an application most have never opened. The honest framing is that any time a website asks you to run something on your computer to continue, the website is asking for code execution, regardless of which window opens. ClickFix's only consistent feature is the procedural ask. Teaching people to recognize the ask, not the runtime, is the part of awareness that survives the next platform mitigation.