← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS.
WHITE PetrP.73 2025-08-21 Modified: 2025-08-21
12
IOCs
MEDIUM VOLUME
Between June and August 2025, a malware campaign identified as SHAMOS, a variant of Atomic macOS Stealer (AMOS) linked to the cybercriminal group COOKIE SPIDER, attempted to compromise over 300 environments but was successfully blocked by the CrowdStrike Falcon platform. This campaign utilized malvertising to target users searching for macOS-related issues, redirecting them to malicious websites. Victims were primarily located in multiple countries including the U.S., UK, Japan, and Canada, while the campaign avoided targeting individuals in Russia due to local forum regulations against commodity malware operations.
bash scriptcrowdstrikegatekeeperthreat huntingck frameworkshamosreportmachoinsight xdrnextgen siempodcastmacosecrimesha256urls httpscompromiseiocsioc descriptionmalvertisingshamos macho
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
SHAMOS
Indicators of Compromise (6 / 12 total)
All FileHash-SHA256 domain FileHash-MD5 FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 231c4bf14c4145be77aa4fef36c208891d818983c520ba067dda62d3bbbf547f 2025-08-21
FileHash-SHA256 4549e2599de3011973fde61052a55e5cdb770348876abc82de14c2d99575790f 2025-08-21
FileHash-SHA256 a4e47fd76dc8ed8e147ea81765edc32ed1e11cff27d138266e3770c7cf953322 2025-08-21
FileHash-SHA256 95b97a5da68fcb73c98cd9311c56747545db5260122ddf6fae7b152d3d802877 2025-08-21
FileHash-SHA256 b01c13969075974f555c8c88023f9abf891f72865ce07efbcee6c2d906d410d5 2025-08-21
FileHash-SHA256 eb7ede285aba687661ad13f22f8555aab186debbadf2c116251cb269e913ef68 2025-08-21
References (1)
↗ https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/