Close Menu
Cybercrime and Ransomware

Fake Mac Fixes Trick Users into Installing Shamos Infostealer

Staff WriterBy No Comments4 Mins Read1 Views

Quick Takeaways

  1. ‘Shamos,’ a macOS infostealer malware developed by "COOKIE SPIDER," targets Mac devices via ClickFix attacks, impersonating troubleshooting guides to bypass user caution.
  2. ‘Shamos’ is delivered through malicious GitHub repositories or fake ads prompting users to run shell commands, which download and execute the malware after decoding Base64 URLs.
  3. Once active, the malware collects sensitive data including credentials, cryptocurrency wallets, and notes, then compresses and transmits this information to attackers, with capabilities for persistence and payload downloads.
  4. Users are urged to avoid executing unknown commands and suspicious links, instead seeking help from official sources or Apple’s community forums to prevent infection via ClickFix or similar attack vectors.

Key Challenge

The story reports that a sophisticated new malware called ‘Shamos,’ targeting Mac devices, has been actively spreading through a series of malicious ClickFix attacks since June 2025. Developed by the cybercriminal group “COOKIE SPIDER,” Shamos is a variant of the Atomic macOS Stealer (AMOS) and is designed to impersonate legitimate troubleshooting guides via fake websites and malicious GitHub repositories. Victims, lured through deceptive advertisements and search engine results promising to fix common macOS issues, unknowingly execute harmful shell commands in their Terminal app, leading to the malware’s download and installation. Once active, Shamos conducts anti-virtual machine checks, gathers sensitive information—including browser data, Keychain items, cryptocurrency wallets, and Apple Notes—and then transmits this stolen data to attackers. The malware can also maintain persistence by creating launch daemons and downloading additional payloads, such as fake wallet apps or botnet modules, further endangering users. CrowdStrike, the cybersecurity firm monitoring these attacks, reports over 300 such infection attempts worldwide, emphasizing the growing threat posed by these manipulative and widespread ClickFix tactics. The report emphasizes that these attacks exploit user trust and platform vulnerabilities, and recommends users avoid executing commands or downloading software from unverified sources, and instead rely on official Apple support channels for troubleshooting.

Risks Involved

The emergence of the Shamos infostealer malware targeting Mac devices exemplifies a significant escalation in cyber risks, as it leverages sophisticated social engineering tactics—such as ClickFix attacks, fake troubleshooting sites, and malicious GitHub repositories—to deceive users into executing harmful shell commands. Once installed, Shamos conducts targeted data harvesting, extracting sensitive information from web browsers, Keychains, Notes, and cryptocurrency wallets, and can escalate privileges to establish persistence and download additional payloads, including trojanized applications and botnet modules. Its capacity to bypass security measures by modifying system attributes and its ability to evade sandbox detection through anti-VM commands magnify its threat level, potentially leading to extensive data breaches, financial loss, and increased vulnerability to further cyberattacks. The widespread adoption of ClickFix attacks, used in ransomware, state-sponsored cyber operations, and disguised scams, underscores the urgent need for robust cybersecurity awareness and preventive measures, emphasizing caution against executing unknown commands and reliance on official support channels rather than unverified online sources.

Possible Action Plan

Prompted by the rise of deceptive tactics, timely remediation of the ‘Fake Mac fixes trick users into installing new Shamos infostealer’ scam is crucial to prevent widespread data theft and system compromise.

Immediate Action

  • Disconnect affected devices from the internet to prevent further data transmission.

Identify and Isolate

  • Run comprehensive malware scans using reputable security tools to detect the Shamos infostealer.
  • Isolate infected systems to prevent spread within the network.

Remove Malicious Files

  • Manually delete any suspicious files related to the fake Mac fixes or Shamos payloads, if identified.

Patch and Update

  • Install all relevant security patches and updates for your operating system and applications to close vulnerabilities.

Change Credentials

  • Reset all compromised passwords and enable multi-factor authentication where possible.

Inform and Educate

  • Notify users about the scam, emphasizing the importance of downloading updates Only from official sources.

Monitor Systems

  • Continuously monitor network activity and logs for signs of further malicious activity.

Review Policies

  • Implement or reinforce cybersecurity policies that address safe update and download practices.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.