Shamos infostealer targets macOS via ClickFix delivery
Malware Activity
Summary
Hide ▲
Show ▼
The Shamos infostealer is abusing ClickFix lures to infect macOS users, turning fake troubleshooting prompts into a credential- and wallet-theft risk. CrowdStrike says it has seen attempted infections against over three hundred environments worldwide since June 2025. The malware steals data from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. It can also establish persistence and drop additional payloads after execution.
Related Happenings
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
MacOS infostealer campaign using fake ads and ClickFix lures
Campaign
First: 04.02.2026 09:42
Last: 04.02.2026 09:42
Sources 1
About this happening:
**macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
MacOS infostealer campaign using fake ads and ClickFix lures
CampaignAbout this happening: **macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
MacSync macOS information stealer variant delivered via signed Swift app
Malware Activity
First: 24.12.2025 18:23
Last: 24.12.2025 18:23
Sources 1
About this happening:
A new **MacSync** malware variant is being delivered through a **digitally signed, notarized Swift app** disguised as a messaging installer, raising the risk of **Gatekeeper bypas...
MacSync macOS information stealer variant delivered via signed Swift app
Malware ActivityAbout this happening: A new **MacSync** malware variant is being delivered through a **digitally signed, notarized Swift app** disguised as a messaging installer, raising the risk of **Gatekeeper bypas...
WebRAT malware distribution via fake GitHub exploit repositories
Malware Activity
First: 23.12.2025 21:31
Last: 23.12.2025 21:31
Sources 1
About this happening:
The **WebRAT** backdoor is now being **distributed through GitHub repositories** that masquerade as proof-of-concept exploits, increasing the chance that researchers and developer...
WebRAT malware distribution via fake GitHub exploit repositories
Malware ActivityAbout this happening: The **WebRAT** backdoor is now being **distributed through GitHub repositories** that masquerade as proof-of-concept exploits, increasing the chance that researchers and developer...
Timeline
-
22.08.2025 18:44 1 articles · 9mo ago
Shamos infostealer disclosed targeting macOS users
Initial DisclosureShamos, a macOS infostealer variant of Atomic macOS Stealer (AMOS) developed by COOKIE SPIDER, was identified in ClickFix lures that impersonate troubleshooting fixes and prompt Mac users to run Terminal commands. The malware steals browser, Keychain, Apple Notes, and cryptocurrency wallet data, can use anti-VM checks and AppleScript reconnaissance, and has been seen attempting infections against over three hundred monitored environments worldwide since June 2025.
Show sources
- Fake Mac fixes trick users into installing new Shamos infostealer — www.bleepingcomputer.com — 22.08.2025 18:44