Reaper Malware Exploits Fake Microsoft Domain to Harvest macOS Credentials and Crypto Assets
What Happened — Researchers identified a new macOS‑focused malware family named Reaper that leverages a counterfeit Microsoft domain to trick users into entering their credentials. The payload bypasses Apple’s Tahoe 26.4 security updates, exfiltrates passwords and cryptocurrency wallet data, and installs a persistent backdoor.
Why It Matters for TPRM —
- Credential theft on macOS endpoints can give threat actors lateral movement into vendor environments.
- Persistent backdoors undermine the security controls many third‑party providers rely on for remote management.
- The use of a trusted‑looking Microsoft domain increases the likelihood of successful phishing against business users.
Who Is Affected — Enterprises with macOS workstations, SaaS providers supporting macOS clients, and any organization that allows BYOD macOS devices.
Recommended Actions —
- Verify that all macOS endpoints run the latest security patches beyond Tahoe 26.4.
- Enforce MFA for Microsoft‑related services and educate users on phishing indicators.
- Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous domain resolution and credential‑harvesting behaviors.
Technical Notes — Attack vector: phishing via a spoofed Microsoft domain; bypass technique: exploitation of a flaw in macOS’s Tahoe 26.4 update chain; data exfiltrated: saved passwords, crypto wallet seeds, and system information. Source: HackRead