Reaper Malware Bypasses Apple’s ClickFix Patch With Built-in Mac Tool
What You Need to Know
- Reaper malware targets Mac users by disguising itself as legitimate apps like WeChat and Miro through fake download pages.
- Malware modifies wallet software code to redirect cryptocurrency transactions rather than stealing seed phrases directly.
- AppleScript execution through `applescript://` URLs bypasses Apple’s Terminal patch, representing third similar campaign in two months.
- Reaper skips machines with Russian keyboard layouts, indicating operators’ location and intended target geography.
Mac users storing crypto have a new problem: malware called Reaper is circulating through convincing fake download pages for WeChat, Miro, and similar apps, and once installed it modifies wallet software at the code level to redirect future transactions rather than simply copying seed phrases.
The mechanism is what makes this worth paying attention to. Apple’s macOS update earlier this year closed the Terminal-based ClickFix vector that attackers had been exploiting, where victims were socially engineered into pasting malicious commands themselves. Reaper routes around that patch entirely by triggering Script Editor through an applescript:// URL, a built-in tool that ships with every Mac and that most users associate with automation, not infection. The malicious payload is hidden inside ASCII art and whitespace, invisible to a casual glance, and executes the moment a user clicks the play button. Moonlock identifies this as the third campaign in roughly two months using this AppleScript approach, which means the Terminal patch effectively moved the attack surface rather than eliminating it.
Reaper skips machines with Russian keyboard layouts, a deliberate tell about where the operators are located and who they are not targeting.
The wallet-modification behavior is the part that separates this from a standard credential stealer. Apps like Ledger Live, Trezor Suite, and Exodus are not just scraped for stored keys; their internal code is altered so that subsequent transactions get silently redirected. A user whose wallet was compromised this way would have no obvious indication anything was wrong until funds moved somewhere they did not authorize. That persistence mechanism, combined with a backdoor disguised as a Google Software Update directory, means a single successful infection is not a one-time event. For anyone holding meaningful on-chain positions through desktop wallet software, the attack model here is more corrosive than a phishing link.
The timing matters because hardware wallet and desktop wallet usage has increased alongside the broader retail re-entry into crypto markets through late 2024 and into 2025. Larger pools of accessible funds on more machines create a better return on investment for whoever is running this infrastructure. The typosquatted Microsoft domains and fake Apple security dialogs are calibrated for users who are security-conscious enough to own a hardware wallet but not technical enough to scrutinize an AppleScript execution prompt. That is a large and growing demographic right now.
0 Comments