Security company CrowdStrike, the same company that caused the massive Windows meltdown back in July 2024, has identified a group of criminals who poisoned search results so that fake Apple support pages appear and deliver malware. And the criminals are even renting their nefarious wares to other criminals.
CrowdStrike says the criminal group, dubbed Cookie Spider, slips malicious websites into paid search results. The fake support pages cover some routine fixes Mac users are likely to look for. Users are instructed to type a command into Terminal to supposedly fix the problem. Instead, the command downloads a hidden installer that can bypass Apple’s GateKeeper protection. The malware it injects is called Shamos. CrowdStrike says Gatekeeper was bypassed with a single line of code.
Shamos interrogates the infected Mac for sensitive files and such as Keychain entries and then sends them to the criminals who can exploit them. Getting rid of Shamos can be tricky as it plants a LaunchDaemons entry so that it is automatically reloaded every time the system is restarted. The criminals also used some other tricks to avoid detection.
CrowdStrike detected more than 300 attempts to deliver Shamos, a variant of another malware tool called Atomic Stealer, between June and August 2025. The operation was run by Cookie Spider, a group that rents out malware to other criminals on a subscription basis.
By catching Mac users during a moment of vulnerability, when solving a problem, and using just enough technical information without making the process too difficult, the criminals were able to fool people into installing the malware.
For as long as I can remember, Mac users have believed they operate in an environment that is impenetrable to malware. But the reality is that most criminals don’t bother hacking software – they hack people. By tricking people through social engineering, they get people to effectively hack their own systems and introduce malware of vulnerabilities that can be exploited.
That means constant vigilance is required.
When downloading software, always verify that the site you are using is trustworthy. This is why purchasing through regulated app stores can be safer. If you are prompted to use a Terminal command when fixing a problem, check that it is a legitimate command. This is one place where a trusted AI tool can help.
Anthony is the founder of Australian Apple News. He is a long-time Apple user and former editor of Australian Macworld. He has contributed to many technology magazines and newspapers as well as appearing regularly on radio and occasionally on TV.