A malvertising campaign deploying Shamos, a variant of the Atomic macOS Stealer (AMOS) developed by cybercrime group Cookie Spider, was blocked by CrowdStrike after the threat actor attempted to compromise more than 300 customers.CrowdStrike blocked the campaign between June and August 2025, according to an Aug. 20 blog post.Researchers at CrowdStrike explained that in acting as a malware-as-a-service operation, Cookie Spider rents the AMOS stealer to cybercriminals, who then deploy it to harvest sensitive data and cryptocurrency assets from victims.The campaign leverages malvertising to direct users to fraudulent macOS websites where victims are told to execute a malicious one-line installation command. Using the one-line installation command lets bad actors bypass Apple’s Gatekeeper security checks and install the malicious executable directly onto victim devices.According to the CrowdStrike researchers, Cuckoo Stealer and Shamos operators have previously leveraged this method in Homebrew malvertising campaigns between May 2024 and January 2025.CrowdStrike said to protect against the malvertising campaign, Falcon customers should configure the following policy settings: suspicious process prevention and intelligence sourced threat prevention.“Cookie Spider’s Shamos push shows that the easiest breach path is still the person at the keyboard,” said Jason Soroko, senior fellow at Sectigo. “The adversary skips costly exploits by convincing users to paste a single command into Terminal, and supply a password. Technical flourishes like anti-VM checks and modular payloads matter, but the key is trust won through believable help pages and ads.” Soroko said defense should start with user journey mapping, safe search habits and ad filtering, then hardening of standard accounts, browser download restrictions, and an EDR that watches for commands that fetch and pipe to Bash. Apple controls such as Gatekeeper and notarization reduce risk, said Soroko, but they cannot stop a user who decides to override prompts.“The practical rule is simple, never run commands from websites you do not fully trust and seek official support before touching Terminal,” said Soroko.Eric Russo, director, SOC Defensive Security at Barracuda, added that the human element remains one of the weakest links and critical factors in many complex cyberattacks. Russo said the AMOS stealer campaign exemplifies how threat actors exploit online ads and social engineering to manipulate users into detonating malicious payloads.“While user awareness is essential, it’s crucial to recognize that even savvy individuals can be deceived by these sophisticated tactics, especially with the rise of AI-driven threats,” said Russo. “Consequently, security teams must prioritize layered defenses and AI-assisted detection strategies to mitigate threats and reduce the likelihood of significant breaches when users are targeted.”
