New Malware Campaign Hits Mac Users Through Fake Support Sites

A click on supposed help pages was enough this summer, and Mac users were in the middle of a perfidious trap. According to security experts, the Cookie Spider group is behind the wave of attack.

New Malware campaign threatens MacOS users

Between June and August 2025, cybercriminals worldwide tried to access the devices of their victims via manipulated search ads – with the aim of obtaining passwords, cryptocurrency wallets and personal data. In the current case, they rely on a new variant of the atomic macos stealer (Amos), which is known under the name Shamos. Report the security specialists from crowdstrike, Your Falcon security platform recognized and blocked the campaign.

Failed help pages in search engines

But how did the cybercriminals try to lure their victims into the trap? The path that the perpetrators chose was particularly insidious. Anyone looking for solutions for MacOS problems -such as “Flush Resolver Cache” -received manipulated ads in the search results. Domains such as MacSafer.com or Rescue-mac.com were present as official help pages. There, users were asked to copy an inconspicuous command to the terminal. Behind it is a download script that led the password and malware. The ads appeared internationally, such as in the USA, Great Britain, Japan, Canada and Italy.

Bypass of protective mechanisms

With her trick, the attackers managed to avoid Apple’s gatekeeper security test. After the installation, Shamos first checked whether it was carried out in a test environment and then started with a systematic data collection. The aim was keychain access, notes, browser logins and crypto wallets. The captured information was bundled in a file and inconspicuously transmitted to the backers. Infographic: Where political cyber attacks have its origin

Danger also with free software

If the malware had access to Sudo rights, it also set up permanent access by placing a plist file in the Launchaemons system folder. In addition to this variant, security experts also discovered a fake wallet app and building blocks for a bot network. According to Crowdstrike, the attackers did not limit themselves to search ads. They also tried through Github to spread their malware. The programs came to the computer of unsuspecting users as free tools – from supposed video software to AI applications.

This is how users can protect themselves

The campaign makes it clear that Mac users have long since come into the crosshairs of professional criminals. Consumers can protect themselves with simple means:

Check search results critically: Advertised links are not automatically trustworthy. It is better to head for official pages directly.
No unknown commands execute: Anyone who is asked to enter cryptic terminal commands should immediately become suspicious.
Keep the system up to date: Use macOS regularly and use security solutions that can recognize suspicious activities.
Downloads only from trustworthy sources: Never charge free software from random github repositories or dubious sides.
Secure sensitive data: Password managers, two-factor authentication and regular backups make your business difficult.

As inconspicuous as the trap may seem at first glance – the campaign shows how professionally cybercriminal procedures and how important it is to remain aware and careful on the Mac.