SentinelOne examined a GMERA.B macOS sample distributed as Stockfoli.app, a fake bundle imitating the legitimate Stockfolio trading application. The bundle placed a seemingly genuine Stockfolio.app copy in its Resources folder while a malicious script decoded and wrote a hidden property list under the user Library path. The decoded property list launched a looped Bash reverse shell to attacker infrastructure at 193.37.212.176 over port 25733, with other ports referenced in related research and disassembly. The post uses the sample to show why behavioral detection can catch fake-app execution, persistence creation, and outbound shell activity even when code signatures, hashes, paths, or Yara rules lag behind new variants.