A new variant of SHub Stealer dubbed 'Reaper' targets macOS users through fake WeChat and Miro installers, employing sophisticated multi-stage delivery chains that spoof Apple, Google, and Microsoft services. The malware leverages the applescript:// URL scheme to bypass Terminal-based defenses, conducting extensive fingerprinting and anti-analysis checks before execution. Reaper harvests browser credentials, cryptocurrency wallets, developer configurations, iCloud data, and Telegram sessions. It includes an AMOS-style document theft module targeting files under 150MB with chunked uploads. The variant establishes persistence through a fake Google Software Update LaunchAgent and installs a backdoor for remote code execution. The infection specifically avoids CIS regions and employs extensive anti-analysis techniques including WebGL fingerprinting, VM detection, and DevTools interference.