Fake Mac fixes trick users into installing new Shamos infostealer

What’s new: A new infostealer malware named ‘Shamos’ is targeting Mac devices through ClickFix attacks, which impersonate troubleshooting guides. Developed by the cybercriminal group “COOKIE SPIDER,” Shamos is a variant of the Atomic macOS Stealer (AMOS) and is designed to steal sensitive data from web browsers, Keychain items, Apple Notes, and cryptocurrency wallets. The malware has been detected in over three hundred environments globally since June 2025.

Who’s affected

Mac users who execute commands from untrusted sources, particularly those found in malvertising or fake GitHub repositories, are at risk of infection. The malware is distributed through deceptive ads and websites that claim to provide solutions for common macOS issues.

What to do

• Do not execute commands from online sources unless you fully understand their function.
• Avoid clicking on sponsored search results for macOS support; instead, use the Apple Community forums or the built-in Help feature.
• Educate users about the risks of ClickFix attacks and the importance of verifying the authenticity of software and troubleshooting guides.

Sources

• BleepingComputer