IOC Radar
TLP:WHITE8 IOCs

SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

SB
SentinelOne Blog
Published May 18, 2026Original Report

Threat Actors

Malware Families

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYAPT37SandwormINFRASTRUCTUREhttps://hebsbsbzjsjsh…https://hebsbsbzjsjsh…mlcrosoft.co.comCAPABILITYCobalt StrikeVICTIMunknown
Adversary(2)
Infrastructure(6)
Capability(1)
Victim

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise8

TypeIndicatorConfidenceScoreFirst Seen
URLhttps://hebsbsbzjsjshduxbs.xyz/api/bot/heartbeat
intel-blogmalwarenetwork
High
58
Jun 2, 26
SHA2566552824c59ddacb134073f24a4bd4724514a938a9dc59f1733503642faed3bd3
file-hashintel-blogmalware
Medium
53
Jun 2, 26
URLhttps://hebsbsbzjsjshduxbs.xyz/gate
intel-blogmalwarenetwork
High
58
Jun 2, 26
MD5c917fcf8314228862571f80c9e4a871e
file-hashintel-blogmalware
Medium
53
Jun 2, 26
Domainmlcrosoft.co.com
intel-blogmalwarenetwork
High
63
Jun 2, 26
Domainqq-0732gwh22.com
intel-blogmalwarenetwork
High
58
Jun 2, 26
URLhttps://hebsbsbzjsjshduxbs.xyz/api/debug/event
intel-blogmalwarenetwork
High
58
Jun 2, 26
Domainmlroweb.com
intel-blogmalwarenetwork
High
58
Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph8 total IOCs
URLSHA256MD5Domain
URL3Domain3SHA2561MD51Actors2Malware1REPORTSHub Reaper | macOS StealeAPT37SandwormCobalt Strike
scroll to zoom · drag to pan · click IOC to open