SHAMOS Strikes: Malvertising Madness Hits macOS Users Worldwide
A malvertising campaign targeting hundreds of organizations aimed to deploy the SHAMOS variant of the Atomic macOS Stealer. Victims were lured to fake macOS help sites and tricked into executing a malicious one-line installation command. CrowdStrike blocked attempts to compromise over 300 environments, highlighting the popularity of these tricks among eCrime actors.
Hot Take:
Well, well, well, it seems that cookies aren’t just for browsers anymore. Meet Cookie Spider, the cyber-bakery that’s been whipping up a fresh batch of trouble for macOS users. They’ve taken the “one-liner” to a new level, but instead of a punchline, you get a punch to your security. Who knew that getting caught in a web could lead to such a crumby situation?
Key Points:
– Between June and August 2025, a malvertising campaign targeted macOS users with a variant of the Atomic macOS Stealer (AMOS).
– The campaign used fraudulent macOS help websites to trick users into executing a malicious one-line installation command.
– Cookie Spider, a malware-as-a-service group, developed the SHAMOS variant of the AMOS infostealer.
– CrowdStrike blocked the campaign from compromising over 300 customer environments.
– The malvertising sites appeared in search results globally, except in Russia, due to eCrime forum restrictions.