Financially Motivated2 malware families

Cookie Spider

Also known asCOOKIE SPIDER

COOKIE SPIDER is a cybercriminal threat actor tracked by CrowdStrike and described as a malware-as-a-service (MaaS) provider. The group is identified in the content as the developer and renter of Atomic macOS Stealer (AMOS), including the SHAMOS variant. CrowdStrike attributed SHAMOS development to COOKIE SPIDER and reported the group used malvertising and fake macOS help/support sites to trick users into executing one-line Terminal commands that downloaded and installed the stealer, including techniques intended to bypass Gatekeeper. The campaign targeted more than 300 customer environments between June and August 2025 and used lures related to macOS troubleshooting and fake software repositories, including malicious GitHub-hosted install instructions. The content states that COOKIE SPIDER’s macOS malware used anti-VM checks, AppleScript-based reconnaissance and collection, theft of credentials and browser data, and targeting of cryptocurrency wallets and related files. Reported collection included Keychain, Apple Notes, browser data, and wallet artifacts, with exfiltration via curl as ZIP archives. Additional reporting in the content describes newer AMOS samples linked through overlapping infrastructure with earlier AMOS/OpenClaw activity attributed to COOKIE SPIDER. Those samples expanded targeting toward cryptocurrency theft, including browser wallet extensions, desktop wallet applications, replacement of legitimate Ledger, Trezor, and Exodus apps with trojanized clones that phish 24-word BIP39 seed phrases, and installation of a persistent backdoor named kito. The malware was reported to use multilayer encryption, pipe-based execution to hide decrypted payloads, persistence via com.finder.helper.plist and /.agent, and separate infrastructure for stealer exfiltration, backdoor tasking, and seed-phrase collection. The content also states that malicious OpenClaw/ClawHub skills and social-engineering comments were used to deliver Atomic Stealer payloads, and explicitly identifies Atomic Stealer as developed and rented by Cookie Spider. No nation-state attribution is stated in the content. Known alias in the provided content: cookie_spider.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics34 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.001

Domains

TA0001

Initial Access

1 technique

T1195

Supply Chain Compromise

T1195.002

Compromise Software Supply Chain

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.002

AppleScript

T1059.004

Unix Shell

T1204

User Execution

TA0005

Stealth

4 techniques

T1027

Obfuscated Files or Information

T1036

Masquerading

T1140

Deobfuscate/Decode Files or Information

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0006

Credential Access

3 techniques

T1056

Input Capture

T1056.002

GUI Input Capture

T1056.003

Web Portal Capture

T1539

Steal Web Session Cookie

T1555

Credentials from Password Stores

T1555.001

Keychain

T1555.003

Credentials from Web Browsers

TA0007

Discovery

1 technique

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0009

Collection

3 techniques

T1005

Data from Local System

T1056

Input Capture

T1056.002

GUI Input Capture

T1056.003

Web Portal Capture

T1560

Archive Collected Data

T1560.002

Archive via Library

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1104

Multi-Stage Channels

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Atomic StealerTwo new AMOS (Atomic macOS Stealer) samples uploaded to MalwareBazaar reveal a significant evolution of the macOS stealer family.5Apr 25, 2026

kitoA persistent backdoor ( kito ) maintains long-term access via a separate C2 at 45.94.47.204, ensuring the operator retains control even if the stealer C2 is taken down.1Apr 25, 2026

IOCS

Observables

47 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

47 IOCsView more in app

uri

17 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+9

hash.sha256

12 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+4

Domains

10 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+2

ip.v4

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.md5

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

breakglass intelNews

Mar 4, 2026

AMOS Stealer v3: Fully Decrypted -- Triple S-Box Encryption, Wallet Replacement Attacks, and a Three-Tier C2 Infrastructure - Breakglass Intelligence - Breakglass Intelligence

Operating and rapidly evolving the AMOS macOS stealer campaign, including credential theft, browser and wallet data theft, replacement of legitimate Ledger/Trezor/Exodus apps with trojanized clones to phish BIP39 seed phrases, and deployment of the kito persistence backdoor via a three-tier C2 infrastructure.

the hacker newsNews

Feb 28, 2026

ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket

Cybercrime actor associated with developing and renting Atomic Stealer, a macOS information stealer delivered via malicious OpenClaw/ClawHub skills.

the hacker newsNews

Aug 25, 2025

⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More

MaaS operator behind a variant of Atomic macOS Stealer (SHAMOS), delivered via ClickFix-style social engineering to run terminal commands that download and execute the stealer and additional payloads (e.g., spoofed wallet app, botnet module).

risky biz rssNews

Aug 22, 2025

Risky Bulletin: A decade later, Russian hackers are still using SYNful Knock, and it's still working

COOKIE SPIDER is a cybercriminal group responsible for developing and deploying macOS infostealers (AMOS/SHAMOS) using social engineering and ClickFix techniques to compromise users.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping22

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables47

Domains, IPs, and hashes tied to this actor, refreshed continuously.