A new infostealer malware targeting Mac devices, called ‘Shamos,’ is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes.
The new malware, which is a variant of the Atomic macOS Stealer (AMOS), was developed by the cybercriminal group “COOKIE SPIDER,” and is used to steal data and credentials stored in web browsers, Keychain items, Apple Notes, and cryptocurrency wallets.
CrowdStrike, which detected Shamos, reports that the malware has attempted infections against over three hundred environments worldwide that they monitor since June 2025.
Promoted through ClickFix attacks
Victims are lured via malvertising or fake GitHub repositories that utilize ClickFix attacks that prompt users into executing shell commands in the macOS Terminal.
The threat actors prompt users to run these commands to install software or fix fake errors, but when executed, they actually download and execute the malware on the device.