Particle.news
Download on the App Store
5 ARTICLES
·
3h ago

Malvertising Campaign Targets macOS With New 'Shamos' Stealer, CrowdStrike Says

Researchers say paid search ads funneled users to fake fixes that led to a one-line Terminal command capable of bypassing Gatekeeper.

macOS malware SHAMOS
Phony Apple help ads push malware that bypasses Mac security
COOKIE SPIDER's Malvertising Drops New SHAMOS macOS Malware

Overview

  • CrowdStrike attributes the operation to the COOKIE SPIDER cybercrime group and identifies Shamos as a new variant of the Atomic macOS Stealer.
  • Malicious ads, spoofed help pages, and fake GitHub repositories instructed users to paste a single command that fetched a Bash script, captured passwords, removed quarantine flags, and installed the Mach-O binary.
  • Telemetry recorded more than 300 attempted deliveries between June and August across the US, UK, Canada, Japan, Italy, Mexico, China, Colombia, and other countries, with no targeting of Russia reported.
  • The malware collects Keychain items, browser credentials, Apple Notes, and cryptocurrency wallets, packages data into out.zip, exfiltrates via curl, performs anti-VM checks, and can persist via a LaunchDaemons plist when run with sudo.
  • CrowdStrike published indicators of compromise, including mac-safer.com and rescue-mac.com, and security teams urge users to avoid unverified Terminal commands and scan for related activity.