Nowe złośliwe oprogramowanie dla Maca atakuje użytkowników kryptowalut. Reaper omija zabezpieczenia Apple i kradnie dane portfela

Moon5labs · 2026-06-09T06:21:35.000Z

Użytkownicy Maca stają w obliczu nowego zagrożenia cybernetycznego. Badacze bezpieczeństwa zidentyfikowali szczep złośliwego oprogramowania o nazwie Reaper, który celuje w posiadaczy kryptowalut i potrafi ominąć niektóre wbudowane zabezpieczenia macOS. Złośliwe oprogramowanie jest dystrybuowane przez fałszywe strony pobierania, które imitują popularne aplikacje. Gdy ofiara uruchomi złośliwy skrypt, Reaper zaczyna zbierać dane uwierzytelniające, dane portfela kryptowalutowego oraz wrażliwe dokumenty przechowywane na urządzeniu. Napastnicy znaleźli nowy sposób na obejście zabezpieczeń macOS

Mac users are facing a new cybersecurity threat. Security researchers have identified a malware strain called Reaper that specifically targets cryptocurrency holders and is capable of bypassing some of macOS’s built-in security protections.
The malware is being distributed through fake download pages that imitate popular applications. Once a victim executes the malicious script, Reaper begins collecting credentials, cryptocurrency wallet data, and sensitive documents stored on the device.
Attackers Have Found a New Way Around macOS SecurityUntil recently, cybercriminals commonly relied on social engineering techniques that tricked users into manually running malicious commands in Terminal.
Apple has gradually closed many of those attack vectors through security updates. However, the creators of Reaper have found a new approach.
Instead of abusing Terminal, the malware leverages Script Editor, a built-in macOS application that comes preinstalled on every Mac. Since most users rarely interact with it, few recognize the potential security risks it can pose.
Malicious websites can automatically launch Script Editor and display what appears to be a harmless script. In reality, the dangerous code is hidden among ASCII art, whitespace, and other elements that make it difficult for ordinary users to detect.
A single click on the Run button can be enough to give attackers access to the system.
Fake Websites Are Designed to Look LegitimateThe campaign relies on deceptive domains that closely resemble well-known companies and software platforms.
Security researchers have discovered websites using typo-squatting techniques, making them appear trustworthy at first glance.
Once the script is launched, victims are often presented with a fake Apple security update prompt requesting their Mac password.
This is the moment when attackers gain access to more sensitive areas of the system.
Interestingly, the malware first checks the device’s keyboard layout. If it detects a Russian-language configuration, the attack terminates immediately. This behavior is commonly observed in malware campaigns and may offer clues about the origin of the operators behind the attack.
Crypto Wallets and Password Managers Are Primary TargetsThe malware's primary objective is to compromise cryptocurrency-related applications.
Reaper specifically targets popular wallets such as Ledger Live, Trezor Suite, and Exodus. According to researchers, it can manipulate internal wallet files and intercept future transactions.
Beyond crypto wallets, the malware also focuses heavily on web browsers.
It attempts to extract stored credentials from Chrome, Firefox, and Microsoft Edge while also harvesting data from browser extensions such as MetaMask and password managers like 1Password.
Cryptocurrency assets are not the only target.
Reaper Also Steals Sensitive DocumentsSecurity analysis shows that the malware actively scans both Desktop and Documents folders for valuable files.
Among the targeted file types are:
Microsoft Word documents (.docx)
PDF files (.pdf)
Excel spreadsheets (.xlsx)
Wallet backup files (.wallet)
Private key and backup files (.keys)
The collected files are compressed into archives and transmitted to remote command-and-control servers operated by the attackers.
In some cases, Reaper also installs a hidden backdoor that allows long-term access to the device even after a system reboot.
Fake WeChat code opens up in Script Editor. Source: Moonlock.
The Third Similar Campaign in Just WeeksAccording to cybersecurity experts, Reaper is not an isolated incident.
It represents the third major campaign in roughly two months that has adopted a similar AppleScript-based attack technique combined with social engineering tactics.
Researchers have also linked the activity to broader campaigns involving fake troubleshooting guides and fraudulent technical support content published across various web platforms. Those campaigns have been associated with other well-known malware families designed to steal cryptocurrency assets and sensitive personal information.
How Can Users Protect Themselves?Security professionals recommend extreme caution when downloading software from unofficial sources.
Users should always verify website addresses before downloading applications and be highly suspicious of unexpected prompts requesting system passwords.
Particular attention should be paid to any website that asks users to open Script Editor or execute an unfamiliar script.
These tactics are becoming one of the primary delivery mechanisms for Reaper, a malware family that is increasingly targeting cryptocurrency investors using Apple devices.
#Apple , #CyberSecurity , #CryptoNews , #HackerAlert , #StaySafe 
Stay one step ahead – follow our profile and stay informed about everything important in the world of cryptocurrencies.
Disclaimer:
The information and opinions presented in this article are for informational and educational purposes only and should not be considered financial or investment advice. Nothing on this page constitutes a recommendation to buy or sell any assets. Cryptocurrency investments are inherently risky and may result in financial loss. Always do your own research before making any investment decisions.