macOS infostealer spoofs Apple,Google and Microsoft in a single attack.NurPhoto via Getty ImagesJust because you use macOS does not mean you are off of cybercriminals’ radar. One particularly clever new threat, a variant of an already well-known and dangerous password stealer, has been found to change disguises at every stage of the infection chain. Security researchers have now warned that it uses a payload hosted on a typo-squatted Microsoft domain, is delivered as an Apple security update, and even adds persistence to the exploit mix via a spoofed Google Software Update directory. Here’s what you need to know about the latest SHub Reaper multi-stage attack chain. ForbesSeniors Targeted—FBI Issues Cyber Attack Advice For The Over 60sBy Davey WinderThe Latest SHub Reaper macOS Password Stealer DissectedWhile Microsoft is stealing the security limelight for all the wrong reasons right now, with an actively exploited Exchange Server zero-day confirmed and an angry Windows hacker dropping more exploits at a rate of knots, macOS users should not be complacent.While there are fewer active security threats facing users who have adopted an Apple ecosystem rather than a Microsoft one, that by no means implies that there are none. From the Atomic macOS Stealer replete with an embedded backdoor, to the Infiniti Stealer targeting passwords, bringing the ClickFix threat to the Mac. Now you can add another macOS “stealer” to the mix in the shape of SHub Reaper, traditionally also using the ClickFix commands to terminal technique, but, according to a May 18 analysis from SentinelOne research engineer Phil Stokes, this new variant “uses a delivery mechanism that bypasses Terminal entirely and sidesteps Apple’s Tahoe 26.4 mitigation for those attack flows.”Reaper uses fake WeChat and Miro installers as lures, Stokes confirmed, “but what stands out is the way the infection chain shifts its disguise at each stage.” This latest Reaper malware build also demonstrates that the criminal operators behind the SHub infostealer threat are “extending their malware beyond straightforward credential and wallet theft,” Stokes warned in the detailed and highly technical report, “Alongside an AMOS-style Filegrabber and chunked uploads” Stokes said, “the variant also installs a persistent backdoor, giving the operators more ways to steal data or pivot to other malicious installs after the initial compromise.”MORE FOR YOUForbesMy Password Has Been Stolen—What Happens Next?By Davey WinderBut most importantly of all, macOS users need to be aware of how the SHub Reaper threat actors are employing that infection chain by layering familiar brands across multiple stages of the same singular attack. “A fake WeChat or Miro installer, delivery from a typo-squatted Microsoft domain, execution disguised as an Apple security update, and persistence hidden in a fake Google Software Update path,” are all employed, Stokes confirmed. If you don’t want your password and other data stolen by SHub Reaper, then you are advised not to run scripts or installers from untrusted sites, don’t take the “security update is needed so click here” bait, check to ensure the URLs of sites you visit are the real deal rather than close copies, and only use the Mac App Store rather than clicking through from social media or email.