Shamos infostealer targets macOS via ClickFix delivery
Malware Activity
Summary
Hide ▲
Show ▼
The Shamos infostealer is abusing ClickFix lures to infect macOS users, turning fake troubleshooting prompts into a credential- and wallet-theft risk. CrowdStrike says it has seen attempted infections against over three hundred environments worldwide since June 2025. The malware steals data from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. It can also establish persistence and drop additional payloads after execution.
Related Happenings
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
H score30
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
H score38
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
H score31
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...
MacOS infostealer campaign using fake ads and ClickFix lures
Campaign
H score41
First: 04.02.2026 09:42
Last: 04.02.2026 09:42
Sources 1
About this happening:
**macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
MacOS infostealer campaign using fake ads and ClickFix lures
CampaignAbout this happening: **macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
MacSync macOS information stealer variant delivered via signed Swift app
Malware Activity
H score30
First: 24.12.2025 18:23
Last: 24.12.2025 18:23
Sources 1
About this happening:
A new **MacSync** malware variant is being delivered through a **digitally signed, notarized Swift app** disguised as a messaging installer, raising the risk of **Gatekeeper bypas...
MacSync macOS information stealer variant delivered via signed Swift app
Malware ActivityAbout this happening: A new **MacSync** malware variant is being delivered through a **digitally signed, notarized Swift app** disguised as a messaging installer, raising the risk of **Gatekeeper bypas...
Timeline
-
22.08.2025 18:44 1 articles · 10mo ago
Shamos infostealer disclosed targeting macOS users
Initial DisclosureShamos, a macOS infostealer variant of Atomic macOS Stealer (AMOS) developed by COOKIE SPIDER, was identified in ClickFix lures that impersonate troubleshooting fixes and prompt Mac users to run Terminal commands. The malware steals browser, Keychain, Apple Notes, and cryptocurrency wallet data, can use anti-VM checks and AppleScript reconnaissance, and has been seen attempting infections against over three hundred monitored environments worldwide since June 2025.
Show sources
- Fake Mac fixes trick users into installing new Shamos infostealer — www.bleepingcomputer.com — 22.08.2025 18:44