Find notable cyber news and cases, enriched with sources, timelines, and signals.

Shamos infostealer targets macOS via ClickFix delivery

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The Shamos infostealer is abusing ClickFix lures to infect macOS users, turning fake troubleshooting prompts into a credential- and wallet-theft risk. CrowdStrike says it has seen attempted infections against over three hundred environments worldwide since June 2025. The malware steals data from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. It can also establish persistence and drop additional payloads after execution.

Related Happenings

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
H score30 First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
H score38 First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...

Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse

Malware Activity
H score31 First: 12.02.2026 16:25 Last: 12.02.2026 16:25 Sources 1

About this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...

MacOS infostealer campaign using fake ads and ClickFix lures

Campaign
H score41 First: 04.02.2026 09:42 Last: 04.02.2026 09:42 Sources 1

About this happening: **macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...

MacSync macOS information stealer variant delivered via signed Swift app

Malware Activity
H score30 First: 24.12.2025 18:23 Last: 24.12.2025 18:23 Sources 1

About this happening: A new **MacSync** malware variant is being delivered through a **digitally signed, notarized Swift app** disguised as a messaging installer, raising the risk of **Gatekeeper bypas...

Timeline

  1. 22.08.2025 18:44 1 articles · 10mo ago

    Shamos infostealer disclosed targeting macOS users

    Initial Disclosure

    Shamos, a macOS infostealer variant of Atomic macOS Stealer (AMOS) developed by COOKIE SPIDER, was identified in ClickFix lures that impersonate troubleshooting fixes and prompt Mac users to run Terminal commands. The malware steals browser, Keychain, Apple Notes, and cryptocurrency wallet data, can use anti-VM checks and AppleScript reconnaissance, and has been seen attempting infections against over three hundred monitored environments worldwide since June 2025.

    Show sources