macOS Reaper Malware: Crypto Wallet Stealer via Script Editor & How to Protect Yourself

The Reaper malware is posing a new threat to macOS users, especially those active in the crypto world. This malware is known as macOS data theft which utilizes a built-in application called Script Editor to steal sensitive information and drain crypto wallets such as MetaMask, Ledger, Trezor, and Exodus. Many call it an evolution of Atomic macOS Stealer (AMOS).

Key Takeaways

• Reaper malware is a macOS info stealer that leverages the Script Editor for malicious code execution without the need for Terminal.
• The main targets are crypto wallets (Ledger, Trezor, Exodus, MetaMask) and browser data as well as sensitive documents.
• It spreads through fake sites that mimic WeChat, Miro, or Apple updates, then force the Script Editor to open.

Register at Bittime now and start trading crypto with a fast, safe, and easy process in the app.

What is Reaper Malware?

Reaper malware is a type of macOS encryption malware at a time macOS data theft designed to steal personal information and drain crypto assets. It falls into the category of infostealers that are particularly active in targeting Mac users, especially those with crypto wallet.

Unlike previous macOS malware that heavily utilized the Terminal, Reaper uses built-in applications. Script Editor that's built into every Mac. This makes it harder to detect because it takes advantage of Apple's official features.

This malware is often associated with Atomic macOS Stealer (AMOS) because the data theft module is nearly identical. Some researchers even call Reaper an updated variant or evolution of SHub Stealer.

How Does Reaper Malware Work?

The infection process is quite cunning and takes advantage of user psychology:

1. Victims visit fake sites that mimic WeChat or Miro download pages (often using typo squatting domains like mlcrosoft[.]co[.]com).
2. The site triggers an applescript:// command which immediately opens Script Editor with malicious code hidden using ASCII art and whitespace.
3. The unsuspecting user then clicks the “Run” or “Play” button.
4. A fake “Apple Security Update” dialog appears asking for the Mac password.
5. Once the password is entered, the malware is activated. It installs a persistent backdoor disguised as a "Google Software Update" and runs every 60 seconds.
6. Reaper then begins stealing data and modifying crypto wallets.

This malware also has a mechanism to stop if the victim's computer keyboard layout is set to Russian.

Read also: How to Remove Crypto Mining Malware and Understand Its Impact

Target Utama Malware Reaper

Reaper is highly focused on crypto users. It targets:

• Desktop Crypto Wallet: Ledger Live, Trezor Suite, Exodus. The malware modifies internal code so that sub sequent transactions are redirected to the attacker's wallet.
• Browser Extensions: MetaMask, Phantom, and password managers like 1Password.
• Data Browser: Passwords, cookies, and login data from Chrome, Firefox, Edge.
• Sensitive Documents: .wallet, .keys, .pdf, .docx, .xlsx files in the Desktop and Documents folders. The data is compressed into a 70MB ZIP file and then sent to the attacker's server.

In this way, attackers can silently drain crypto wallets over the long term.

Read also: Beware, StilachiRAT Trojan: New Malware Infecting Crypto Wallets in Google Chrome!

Reaper Malware's Relationship to Atomic macOS Stealer (AMOS)

Many reports mention the Reaper using a data theft module modeled after Atomic macOS Stealer (AMOS) itself has been known as one of the most active macOS infostealers in recent years.

Reaper is arguably a more sophisticated version, having successfully bypassed Apple's previous security patch targeting Terminal-based infections. By exploiting the Script Editor, this malware discovered a new vulnerability.

How Reaper Malware Spreads

Reaper's main spread is through fake download sites. Victims typically search for WeChat or Miro on Google and then click on a link that appears official but is actually fake.

Additionally, there are related campaigns that use fake articles on Medium, Craft, or Squarespace that provide "macOS repair" instructions that are actually malicious commands. However, Reaper is more specific, forcing the Script Editor to open.

This is already the third campaign in less than two months targeting Mac users with ClickFix-like methods.

Read also: OpenAI vs. Anthropic: GPT-5.5 Cyber ​​Infiltrates 9 UK Banks, Regulators Concerned

How to Protect Yourself from Reaper Malware

Here are some practical steps you can take:

• Always download from official sources— Visit miro.com or web.wechat.com directly, do not click on links from Google or ads.
• Script Editor Alert— If suddenly the Script Editor opens by itself while browsing,close immediately without clicking Runand delete the newly downloaded file.
• Don't enter your Mac password carelessly— The “Apple Security Update” dialog that appears suddenly is almost certainly fake.
• Use a trusted antivirus— Malwarebytes for Mac or other security tools that can detect malicious scripts.
• Check the domain carefully.— Pay attention to the spelling of the domain (example: microsoft, not microsoft).
• Enable Gatekeeper & XProtect— Make sure macOS's built-in security features remain enabled.
• Backup crypto wallet offline— Use a cold wallet and don't store your seed phrase on your computer.

Read also: Astra AI Review: AI Tutor Besides BelajarnAI

Signs Your Computer Is Infected with Reaper Malware

Some indications to watch out for:

• Script Editor often opens by itself for no reason.
• There is a strange “Google Software Update” process in Activity Monitor.
• The crypto wallet suddenly experiences a transaction that you did not make.
• Mac performance is slow or there is suspicious network activity.
• Large ZIP files appear in your Downloads folder or Desktop suddenly.

If you experience any of these, immediately scan with an antivirus and change important passwords.

Conclusion

Malware Reaper demonstrates that threats against macOS users, particularly those holding crypto assets, are becoming increasingly sophisticated. By exploiting the Script Editor and masquerading as an official update, this malware managed to bypass several layers of Apple's defenses.

The main key to protection remains user awareness always verify the download source, never click "Run" in the Script Editor unless you know it, and use additional security tools.

If you have just downloaded WeChat or Miro from suIf you've encountered any unofficial sources in the past few days, you should scan your computer now with Malwarebytes or a similar tool. It's better to be safe than sorry and lose your crypto assets.

Bittime is a licensed and regulated Digital Financial Asset Trader (PAKD) supervised by Indonesia’s Financial Services Authority (OJK) — where you can buy Bitcoin in Indonesia and hundreds of other crypto assets starting from just Rp10,000. The registration process is fast, secure, and you can get started today.

Track USDT to IDR conversions and monitor your favorite crypto assets in real time. Everything is available in one crypto investment app that you can download for free on the Play Store

Ready to start? Register now on Bittime and execute your investment strategy with a platform trusted by millions of users in Indonesia.

FAQ

What is Reaper Malware?

The Reaper malware is a macOS infostealer that steals data and drains crypto wallets by exploiting the Mac's built-in Script Editor application. It is an evolution of the Atomic macOS Stealer (AMOS).

How does Reaper Malware spread?

The primary distribution is through fake download sites impersonating WeChat and Miro. These sites force open the Script Editor, hiding malicious code.

Which crypto wallets are targeted?

Reaper targets Ledger Live, Trezor Suite, Exodus, MetaMask, Phantom, and other browser extensions. It can modify wallet code to redirect transactions.

Is macOS safe from Reaper?

Apple has patched several previous vulnerabilities, but Reaper managed to bypass those patches using the Script Editor. Users should still be vigilant and avoid clicking on suspicious code.

What should you do if you are infected?

Immediately scan with a trusted antivirus, change all important passwords, transfer crypto assets to a new, clean wallet, and closely monitor account activity.