Between June and August this year, CrowdStrike’s Falcon platform stopped a coordinated malware campaign aimed at more than 300 customer environments. The operation involved SHAMOS, a variant of the Atomic macOS Stealer (AMOS), built and rented out by the cybercriminal group COOKIE SPIDER.
The scheme was simple. Malvertising lured users searching for macOS fixes to spoofed help sites.
There, victims were told to copy and paste a one-line command into Terminal. That single command bypassed Apple’s Gatekeeper checks and installed a Mach-O executable. It is a technique increasingly favored by eCrime groups. SHAMOS and its predecessor, Cuckoo Stealer, have both relied on it in earlier campaigns tied to fake Homebrew downloads.
This round of activity stretched across the US, UK, Japan, China, Colombia, Canada, Mexico, and Italy. Notably absent was Russia. That omission is no accident. Operators on Russian-speaking forums still enforce rules that prohibit targeting victims in Russia and the broader Commonwealth of Independent States.
One campaign in June provides the clearest example. A user searching for “macos flush resolver cache” might see a sponsored result for what looked like a help page. Clicking through led to domains such as mac-safer[.]com or rescue-mac[.]com. At least one ad profile appeared to impersonate an electronics store in Australia, further masking the activity.
The malicious command on these sites was straightforward. It decoded a Base64 string that resolved to a script hosted on icloudservers[.]com. That script grabbed the user’s password, fetched SHAMOS, and placed it into the /tmp/ directory. From there, the malware stripped file attributes, assigned execution rights, and ran.
Once active, SHAMOS took steps to avoid sandboxes, then launched AppleScript commands to gather system data. It searched for cryptocurrency wallets, credential stores, browser data, and Apple Notes. The stolen information was compressed into a ZIP archive and sent out using curl.
SHAMOS also pulled down additional payloads, including a fake Ledger Live wallet app and a botnet module. Persistence was achieved through a LaunchDaemons entry if the user had Sudo rights.
CrowdStrike telemetry flagged these behaviors throughout the summer. Repeated curl traffic pointed to botnet functionality being tested or deployed.
The malvertising campaign did not stop there. Threat hunters also tied it to a fake GitHub repository posing as the official iTerm2 project. Instructions there mimicked the same trick: a one-line command that led to a Bash script and, eventually, SHAMOS. The only variation was the absence of Base64 encoding.
The pattern is now clear. One-line commands are an efficient tool for eCrime groups. They bypass defenses, lower barriers for less technical operators, and exploit the trust of users who believe they are solving a legitimate problem.
CrowdStrike’s Falcon platform blocked the activity across customer environments, but the lesson remains. As long as macOS users turn to search results for quick fixes, COOKIE SPIDER and groups like it will continue to exploit that trust.
Exploiting Less-Technical Users
Trey Ford of Bugcrowd, comments: “Bob Lord described the work security teams do so well — we work against human adversaries who organize their work into campaigns.” This one, he noted, is especially clever. Attackers profile less-technical users through search queries, then walk them step by step into running the malware. He believes enterprises with strong privileged account management are more likely to block such attempts, but small businesses and home users remain vulnerable.
Hidden in a Promise
These campaigns succeed by “tricking users into running malicious commands on their systems,” adds Ben Hutchison of Black Duck. The danger is hidden in a promise — run this one command, fix your issue. He explained how SHAMOS leaned on a curl call to fetch an obfuscated script, steal credentials, and download more payloads.
Avoidance, Hutchison says, requires awareness of command-line behavior most users simply don’t have. His prescription: technical controls to block untrusted scripts, coupled with user education that teaches people why copying random commands is risky. He added that threat hunting and attack simulation should become standard practice, since yesterday’s defenses rarely stop tomorrow’s tricks.
The Human Factor
Jason Soroko of Sectigo emphasized the human factor: “Cookie Spider’s SHAMOS push shows that the easiest breach path is still the person at the keyboard.” The group sidestepped expensive exploits by persuading users to paste a line of code and enter a password. Trust, not technology, was the lever.
He argued that defense must start with the user journey (safer search, ad filtering, and habits) then add hardening with account restrictions, browser policies, and endpoint tools that watch for suspicious command execution. His rule of thumb is simple: never run commands from websites you don’t fully trust.
A Household Issue
This is not just a corporate issue but a household one, notes Randolph Barr of Cequence Security. Families without IT support are equally at risk. He recalled a carrier overseas warning subscribers by text, urging them to ignore scams about expiring loyalty points. Direct, proactive communication works better than waiting for people to seek out advice.
For enterprises, Barr challenges a common refrain: the problem isn’t that “humans are the weakest link,” but that too many systems lack proper guardrails. He called for secure-by-default settings, DNS filtering, phishing-resistant MFA, and EDR that spots malicious one-line scripts. His view is that companies should remove as much burden as possible from end users, whether employees or consumers.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.