{"id":60685,"date":"2026-05-18T23:32:48","date_gmt":"2026-05-18T23:32:48","guid":{"rendered":"https:\/\/www.theregister.com\/a\/5242258"},"modified":"2026-05-18T23:32:48","modified_gmt":"2026-05-18T23:32:48","slug":"do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/","title":{"rendered":"Do fear the Reaper &#8211; stealer swipes macOS users&#8217; passwords, wallets, then backdoors them"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/image.theregister.com\/5242280.jpg?imageId=5242280&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683\" class=\"ff-og-image-inserted\"><\/div>\n<div data-element-guid=\"d11159dd-82a3-4c53-901c-d41dec75505c\" readability=\"33.25\">\n<p class=\"kicker \">Security<\/p>\n<p class=\"subtitle \">While also spoofing all the trusted domains &#8211; Apple, Microsoft, and Google &#8211; in the same attack<\/p>\n<\/p><\/div>\n<div data-element-guid=\"4c9dc5d9-c886-4348-bf4a-01d0dc71377d\" readability=\"107.98441427853\">\n<p>A new infostealer variant targets macOS users by spoofing Apple, Microsoft, and Google and then then gets to work searching for victims\u2019 password managers so it can steal all of their credentials and access cryptocurrency wallets such as MetaMask and Phantom.<\/p>\n<p>The updated SHub stealer variant is called Reaper, and it uses macOS Script Editor, pre-populated with the malicious payload to execute the malware, according to SentinelOne research engineer Phil Stokes, who documented the attack in a Monday blog.&nbsp;<\/p>\n<p>But unlike <a href=\"https:\/\/www.jamf.com\/blog\/clickfix-macos-script-editor-atomic-stealer\/\" rel=\"nofollow\">earlier SHub versions<\/a> and similar <a href=\"https:\/\/www.theregister.com\/security\/2026\/04\/21\/macos-clickfix-attacks-deliver-applescript-stealers\/5226728\">macOS stealer campaigns<\/a> that rely on <a href=\"https:\/\/www.theregister.com\/security\/2026\/03\/10\/crooks-compromise-wordpress-sites-spread-infostealers\/5222045\">ClickFix social engineering tactics<\/a> to trick the user into pasting a ScriptEditor command into Apple\u2019s Terminal command-line interface, Reaper bypasses Terminal altogether and therefore defeats defenses Apple added to&nbsp;<a href=\"https:\/\/x.com\/malwarezoo\/status\/2037305551911014760?s=20\" rel=\"nofollow\">Tahoe 26.4<\/a>.<\/p>\n<div data-element-guid=\"afe083ca-6701-48e9-9bd8-f8827dd7fb42\" class=\"lab4 column articleList layout_vertical imageLayout_left small-12 large-4 small-abs-12 large-abs-4 abs_grid_4 desktop-floatLeft mobile-floatLeft grid-vas-start mobile-grid-vas-start\">\n<div class=\"content border_width_0 border_width_mobile_0 border-radius-48 border-radius-mobile_48\">\n<h2 class=\"article-list-title t19 font-RobotoCondensed\">MORE CONTEXT<\/h2>\n<\/p><\/div>\n<\/div>\n<p>The attack starts with fake WeChat and Miro installer websites, hosted on a domain designed to instill trust in users by typo-squatting a Microsoft URL: mlcrosoft[.]co[.]com.&nbsp;<\/p>\n<p>When a user visits these pages, hidden JavaScript collects a ton of information about their system and browser, including IP address, location, WebGL fingerprinting data, and indicators of virtual machines or VPNs. The attack stops if the victim is located in Russia.<\/p>\n<p>Assuming that the machine is located elsewhere and the user clicks on the fake tool installer, they open Apple\u2019s Script Editor app via a sneaky link that\u2019s heavily padded with ASCII art and fake terms to push the malicious command far below the visible portion of the window when it loads.<\/p>\n<p>When the victim clicks \u201cRun\u201d in Script Editor, the hidden command executes the malicious AppleScript and displays a popup message purporting to be a security update for Apple\u2019s XProtectRemediator tool. Instead of updating the security tool, however, it calls a curl command to silently download the shell script and it asks the victim to enter their login details \u2013 which are <a href=\"https:\/\/www.sentinelone.com\/blog\/how-offensive-actors-use-applescript-for-attacking-macos\/\" rel=\"nofollow\">scraped and used to decrypt various credentials<\/a>&nbsp; \u2013 and then displays a fake error message.&nbsp;<\/p>\n<p>Earlier SHub versions harvested users\u2019 browser data, cryptocurrency wallets, developer-related configuration files, macOS Keychain and iCloud account data, and Telegram session data.&nbsp;<\/p>\n<p>Reaper does all of this and more.&nbsp;<\/p>\n<p>It includes a filegrabber that searches for files that contain business or financial info in the user\u2019s Desktop and Document folders. That approach is similar to the document-theft functionality seen in <a href=\"https:\/\/www.sentinelone.com\/blog\/from-amos-to-poseidon-a-soc-teams-guide-to-detecting-macos-atomic-stealers-2024\/\" rel=\"nofollow\">Atomic macOS Stealer<\/a> (AMOS).&nbsp;<\/p>\n<p>The script also searches for several desktop cryptocurrency tools including Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite. If it finds any, it injects the wallet with malware to ensure continued funds theft.<\/p>\n<p>And then, to ensure persistence, it backdoors the infected device by creating a directory structure designed to mimic Google Software Update: ~\/Library\/Application Support\/Google\/GoogleUpdate.app\/Contents\/MacOS\/.<\/p>\n<p>\u201cThe LaunchAgent executes the target script GoogleUpdate every 60 seconds,\u201d Stokes explains. \u201cThe script functions as a beacon, sending system details to the C2\u2019s \/api\/bot\/heartbeat endpoint.\u201d<\/p>\n<p>This ensures the attacker can remotely execute code on the backdoored machine. If the attacker-controlled server sends a \u201ccode\u201d payload, the script decodes it, writes it to a hidden file and executes the code with the users\u2019 privileges before deleting the file.<\/p>\n<p>The backdoor gives the malware operators \u201cmore ways to steal data or pivot to other malicious installs after the initial compromise,\u201d the threat hunter warns.&nbsp;<\/p>\n<p>About the only thing it doesn&#8217;t do is implore the band to add <a href=\"https:\/\/www.youtube.com\/watch?v=cVsQLlk-T0s\">more cowbell<\/a>. \u00ae<\/p>\n<\/p><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/image.theregister.com\/?imageId=5242280&#038;width=800\">READ MORE <a href=\"https:\/\/www.theregister.com\/security\/2026\/05\/19\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/5242258\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> While also spoofing all the trusted domains &#8211; Apple, Microsoft, and Google &#8211; in the same attack READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":60686,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[307],"class_list":["post-60685","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-register","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Do fear the Reaper - stealer swipes macOS users&#039; passwords, wallets, then backdoors them 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Do fear the Reaper - stealer swipes macOS users&#039; passwords, wallets, then backdoors them 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-18T23:32:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/image.theregister.com\/5242280.jpg?imageId=5242280&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Do fear the Reaper &#8211; stealer swipes macOS users&#8217; passwords, wallets, then backdoors them\",\"datePublished\":\"2026-05-18T23:32:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/\"},\"wordCount\":607,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them.jpg\",\"keywords\":[\"Security\"],\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/\",\"name\":\"Do fear the Reaper - stealer swipes macOS users' passwords, wallets, then backdoors them 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them.jpg\",\"datePublished\":\"2026-05-18T23:32:48+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them.jpg\",\"width\":100,\"height\":65},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Do fear the Reaper &#8211; stealer swipes macOS users&#8217; passwords, wallets, then backdoors them\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Do fear the Reaper - stealer swipes macOS users' passwords, wallets, then backdoors them 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/","og_locale":"en_US","og_type":"article","og_title":"Do fear the Reaper - stealer swipes macOS users' passwords, wallets, then backdoors them 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-05-18T23:32:48+00:00","og_image":[{"url":"https:\/\/image.theregister.com\/5242280.jpg?imageId=5242280&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Do fear the Reaper &#8211; stealer swipes macOS users&#8217; passwords, wallets, then backdoors them","datePublished":"2026-05-18T23:32:48+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/"},"wordCount":607,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them.jpg","keywords":["Security"],"articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/","url":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/","name":"Do fear the Reaper - stealer swipes macOS users' passwords, wallets, then backdoors them 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them.jpg","datePublished":"2026-05-18T23:32:48+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them.jpg","width":100,"height":65},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.threatshub.org\/blog\/tag\/security\/"},{"@type":"ListItem","position":3,"name":"Do fear the Reaper &#8211; stealer swipes macOS users&#8217; passwords, wallets, then backdoors them"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60685"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60685\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/60686"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}