Between June and August 2025, CrowdStrike's Falcon platform effectively thwarted a malware campaign targeting over 300 customer environments with SHAMOS, a variant of the Atomic macOS Stealer (AMOS) developed by the cybercriminal group COOKIE SPIDER. This campaign, which exploited malvertising to lure users to fake macOS help websites, involved malicious one-line installation commands that bypassed Gatekeeper security checks, installing Mach-O executables directly onto victims' devices to harvest sensitive data and cryptocurrency. The campaign's success highlights the ongoing popularity of such methods among eCrime actors, who utilize tactics like spoofing legitimate businesses in Google Advertising profiles to increase the reach of their malicious websites. CrowdStrike's assessment suggests that these techniques will continue to be favored by eCrime actors due to their effectiveness in bypassing security measures, emphasizing the need for robust endpoint protection strategies like those provided by CrowdStrike's Falcon platform.