Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Shamos malware targets Macs via ClickFix attacks

CrowdStrike, a cybersecurity firm, detected the Shamos malware and reported that infection attempts have been identified in over 300 environments globally under their monitoring since June 2025.

byEmre Çıtak
August 25, 2025
in Cybersecurity, News
Home News Cybersecurity
Share on FacebookShare on TwitterShare on LinkedInShare on WhatsAppShare on e-mail
Google Preferred Source

A new infostealer malware, dubbed ‘Shamos,’ is actively targeting Mac devices through deceptive ClickFix attacks. These attacks masquerade as legitimate troubleshooting guides and purported system fixes, deceiving users into unknowingly installing the malicious software.

Shamos, identified as a variant of the Atomic macOS Stealer (AMOS), was reportedly developed by the cybercriminal group known as “COOKIE SPIDER.” The primary function of Shamos is to pilfer sensitive data and credentials stored within various applications and services on the compromised Mac device. This includes information from web browsers, Keychain access, Apple Notes, and cryptocurrency wallets.

CrowdStrike, a cybersecurity firm, detected the Shamos malware and reported that infection attempts have been identified in over 300 environments globally under their monitoring since June 2025. This indicates a widespread and ongoing campaign targeting Mac users.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The malware is propagated through ClickFix attacks, which are delivered via malvertising or through deceptive GitHub repositories. These attacks manipulate users into executing specific shell commands within the macOS Terminal application. Victims are often presented with prompts urging them to run these commands under the guise of installing software or resolving fabricated errors. However, the execution of these commands initiates the download and installation of the Shamos malware onto the system.

Advertisements and spoofed web pages, such as mac-safer[.]com and rescue-mac[.]com, are used to lure potential victims. These pages often claim to provide assistance with common macOS problems that users are likely to search for online. The pages contain instructions that direct users to copy and paste commands into the Terminal to supposedly fix the identified issue. Unbeknownst to the user, these commands do not fix any problems but instead initiate the malware infection process.

The malicious command, when executed, proceeds to decode a Base64-encoded URL and retrieves a malicious Bash script from a remote server. This script captures the user’s password and downloads the Shamos mach-O executable. The script further prepares and executes the malware, utilizing ‘xattr’ to remove the quarantine flag and ‘chmod’ to make the binary executable, effectively bypassing Apple’s Gatekeeper security feature.

Once Shamos is executed on a device, it performs anti-VM commands to determine whether it’s running within a sandboxed environment. Following this, AppleScript commands are executed for host reconnaissance and data collection. Shamos then searches for specified types of sensitive data stored on the device, including cryptocurrency wallet files, Keychain data, Apple Notes data, and information stored within the victim’s web browsers.

After the data collection process is completed, Shamos packages the collected information into an archive file named ‘out.zip’ and transmits this archive to the attacker using the ‘curl’ command. In instances where the malware is executed with sudo (superuser) privileges, Shamos creates a Plist file named ‘com.finder.helper.plist’ and stores it in the user’s LaunchDaemons directory. This ensures persistence through automatic execution when the system starts up.

CrowdStrike’s analysis also revealed that Shamos possesses the capability to download additional payloads onto the victim’s home directory. Instances have been observed where threat actors have deployed a spoofed Ledger Live wallet application and a botnet module.

macOS users are cautioned against executing commands found online if the purpose and functionality of the commands are not fully understood. The same caution applies to GitHub repositories, as the platform is often exploited to host malicious projects designed to infect unsuspecting users. When encountering issues with macOS, it is recommended to avoid sponsored search results and instead seek assistance through official Apple Community forums, which are moderated by Apple, or by using the system’s built-in Help function (Cmd + Space → “Help”).

ClickFix attacks have become an increasingly common tactic used for malware distribution. Threat actors employ these attacks in various scenarios, including TikTok videos, disguised captchas, and as purported fixes for fake Google Meet errors. The effectiveness of this tactic has led to its adoption in ransomware attacks and by state-sponsored threat actors.


Featured image credit

Tags: Applemac

Related Posts

Suno brings AI music generation to iMessage

Suno brings AI music generation to iMessage

July 17, 2026
Google renames NotebookLM to Gemini Notebook

Google renames NotebookLM to Gemini Notebook

July 17, 2026
Google AI Mode adds Canva and Instacart integrations

Google AI Mode adds Canva and Instacart integrations

July 17, 2026
AMD launches Ryzen 7 7700X3D for 9

AMD launches Ryzen 7 7700X3D for $329

July 17, 2026
Roblox brings AI game creation to mobile devices

Roblox brings AI game creation to mobile devices

July 17, 2026
Netflix used AI in nearly 300 titles this year

Netflix used AI in nearly 300 titles this year

July 17, 2026

LATEST NEWS

Suno brings AI music generation to iMessage

Google renames NotebookLM to Gemini Notebook

Google AI Mode adds Canva and Instacart integrations

AMD launches Ryzen 7 7700X3D for $329

Roblox brings AI game creation to mobile devices

Netflix used AI in nearly 300 titles this year

BEST AI MODELS LEADERBOARD

See the best AI models, ranked by intelligence, benchmark results, speed and token price. Find the most suitable LLMs, Text-to-Image, Image Editing, Text-to-Speech, Text-to-Video and Image-to-Video  artificial intelligence model for your tasks and business.

LATEST TOOLS

Amanda AI

InterviewBot

VernAI

MyLoans

Essay Grader AI

Cover Letter AI

Animate Old Photos

Resume.io

MonAI

AIEngine Plugin

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI tools
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies to improve your experience. You can choose to accept or reject them. Visit our Privacy Policy.