A dangerous new malware campaign is targeting Mac users worldwide. Security researchers at CrowdStrike uncovered Shamos, a new variant of the Atomic macOS Stealer (AMOS), developed by a cybercriminal group called COOKIE SPIDER.

The attack relies on ClickFix tactics, where victims searching for Mac troubleshooting help are lured to fake websites or GitHub repositories. These spoofed sites trick users into copying and pasting a one-line command in Terminal, supposedly to fix an error. Instead, the command silently downloads Shamos, bypasses macOS Gatekeeper protections, and installs the malware.

Once inside, Shamos searches for sensitive data, Apple Notes, Keychain items, browser passwords, and even cryptocurrency wallets. The stolen information is zipped and sent directly to attackers, often alongside additional malware like botnet modules or fake Ledger wallet apps.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM/NEWSLETTER  

10 WAYS TO SECURE YOUR OLDER MAC FROM THREATS AND MALWARE

How Shamos malware spreads on macOS

Cybercriminals distribute these fake “fixes” through so-called “malvertising” campaigns and spoofed tech help sites with names like mac-safer[.]com or rescue-mac[.]com. These pages pose as trusted troubleshooting guides and appear in search results for common Mac issues, such as “how to flush resolver cache.”

The websites encourage victims to copy and paste commands that download malicious Bash scripts. These scripts grab the user’s password, remove file protections, and launch Shamos. With persistence tools installed, the malware can even restart alongside the system, keeping control long after the initial infection.

CAPTCHAGEDDON SIGNALS A DANGEROUS SHIFT

Tips to stay safe from Shamos malware

You can avoid falling victim to Shamos and similar threats with these proactive steps:

1) Never run commands you don’t understand

Copy-pasting commands into Terminal may seem like an easy fix, but it’s also one of the easiest ways for attackers to bypass Apple’s built-in protections. If you see a command on a website, forum, or GitHub repository, don’t execute it unless you fully understand what it does. Instead, confirm with Apple’s official support site or the Apple Community forums, where experienced users and moderators can verify safe troubleshooting steps.

2) Avoid sponsored results

Hackers know that when your Mac has a problem, you’ll search for a quick solution. That’s why they buy sponsored ads like the one below to push fake troubleshooting websites higher in search results. Clicking the top link may feel natural, but it could be a trap. Stick with trusted sources like Apple Support, or scroll past the ads to find legitimate guides.

3) Be wary of GitHub projects

GitHub is an amazing resource for developers, but it’s also become a hotspot for malicious repositories that mimic legitimate software. Attackers often clone popular apps or tools, then hide malware inside. Before downloading anything, check the publisher’s name, stars, and activity history. If the account looks suspicious, inactive, or brand-new, avoid it.

4) Use strong antivirus protection

Mac malware is evolving fast, and Apple’s built-in security features can’t catch everything. A strong antivirus adds another layer of defense by scanning downloads, blocking malicious scripts, and detecting suspicious behavior in real time. Some security tools can even spot the one-line Terminal commands used by Shamos before they cause harm.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com/LockUpYourTech

5) Use a personal data removal service

Since Shamos is designed to steal personal information and send it to cybercriminals, reducing your online footprint can help limit the fallout. A personal data removal service scans data broker sites and removes your exposed information, making it harder for attackers to resell or exploit it after a breach. While this won’t stop malware from stealing what’s on your Mac, it adds another layer of protection by minimizing the data criminals can use against you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com/Delete

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com/FreeScan 

6) Keep macOS updated

Apple regularly patches vulnerabilities in macOS that malware tries to exploit. By keeping your system up to date, you close the doors that attackers rely on. Enable automatic updates, so your Mac receives the latest patches as soon as they’re available. Pairing this with good digital hygiene, like avoiding shady downloads, dramatically lowers your risk of infection.

Kurt’s key takeaways

Cybercriminals know that when your Mac breaks, you’ll look for quick answers. Shamos takes advantage of that urgency by disguising itself as help. Staying safe means slowing down before you copy, paste, or download anything. If something feels off, it probably is.

Should Apple be doing more to protect Mac users from evolving threats like Shamos? Let us know by writing to us at Cyberguy.com/Contact

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM/NEWSLETTER

Copyright 2025 CyberGuy.com. All rights reserved.