A dangerous new malware campaign is targeting Mac users worldwide. Security researchers at CrowdStrike uncovered Shamos, a new variant of the Atomic macOS Stealer (AMOS), developed by a cybercriminal group called COOKIE SPIDER.
The attack relies on ClickFix tactics, where victims searching for Mac troubleshooting help are lured to fake websites or GitHub repositories. These spoofed sites trick users into copying and pasting a one-line command in Terminal, supposedly to fix an error. Instead, the command silently downloads Shamos, bypasses macOS Gatekeeper protections, and installs the malware.
Once inside, Shamos searches for sensitive data, Apple Notes, Keychain items, browser passwords, and even cryptocurrency wallets. The stolen information is zipped and sent directly to attackers, often alongside additional malware like botnet modules or fake Ledger wallet apps.

Credit: CrowdStrike
How Shamos malware spreads on macOS
Cybercriminals distribute these fake “fixes” through malvertising campaigns and spoofed tech help sites with names like mac-safer[.]com or rescue-mac[.]com. These pages pose as trusted troubleshooting guides and appear in search results for common Mac issues, such as “how to flush resolver cache.”
The websites encourage victims to copy and paste commands that download malicious Bash scripts. These scripts grab the user’s password, remove file protections, and launch Shamos. With persistence tools installed, the malware can even restart with the system, keeping control long after the initial infection.

Credit: CrowdStrike
Tips to stay safe from Shamos malware
You can avoid falling victim to Shamos and similar threats with these proactive steps:
1) Never run commands you don’t understand
Copy-pasting commands into Terminal may seem like an easy fix, but it’s also one of the easiest ways for attackers to bypass Apple’s built-in protections. If you see a command on a website, forum, or GitHub repository, don’t execute it unless you fully understand what it does. Instead, confirm with Apple’s official support site or the Apple Community forums, where experienced users and moderators can verify safe troubleshooting steps.
2) Avoid sponsored results
Hackers know that when your Mac has a problem, you’ll search for a quick solution. That’s why they buy sponsored ads like the one below to push fake troubleshooting websites higher in search results. Clicking the top link may feel natural, but it could be a trap. Stick with trusted sources like Apple Support, or scroll past the ads to find legitimate guides.

Credit: CrowdStrike
3) Be wary of GitHub projects
GitHub is an amazing resource for developers, but it’s also become a hotspot for malicious repositories that mimic legitimate software. Attackers often clone popular apps or tools, then hide malware inside. Before downloading anything, check the publisher’s name, stars, and activity history. If the account looks suspicious, inactive, or brand-new, avoid it.
Watch the latest episode of The CyberGuy Report.
Missed this event? Sign up via the registration form and see our live recording.
See Kurt’s latest Amazon picks for useful gadgets, smart home upgrades and everyday tech worth grabbing while the deals last.
4) Use strong antivirus protection
Mac malware is evolving fast, and Apple’s built-in security features can’t catch everything. A strong antivirus adds another layer of defense by scanning downloads, blocking malicious scripts, and detecting suspicious behavior in real time. Some security tools can even spot the one-line Terminal commands used by Shamos before they cause harm.
- Strong real-time protection against viruses, malware, ransomware and hacking attempts
- AI-powered scam protection to help identify suspicious emails, texts and websites
- Built-in password manager to securely store and manage logins
- 2 GB PC cloud backup to help protect important files from ransomware or hardware failure
- Smart firewall and phishing protection
- Protects 1, 3 or 5 devices
- Available for Windows, macOS, Android and iOS
- Includes real-time threat protection, smart firewall and phishing protection to guard against online attacks
5) Use a personal data removal service
Since Shamos is designed to steal personal information and send it to cybercriminals, reducing your online footprint can help limit the fallout. A personal data removal service scans data broker sites and removes your exposed information, making it harder for attackers to resell or exploit it after a breach. While this won’t stop malware from stealing what’s on your Mac, it adds another layer of protection by minimizing the data criminals can use against you.
Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.
Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.
- Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
- Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
- The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.
CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.
The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.
Is your personal information exposed online?
Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.
6) Keep macOS updated
Apple regularly patches vulnerabilities in macOS that malware tries to exploit. By keeping your system up to date, you close the doors that attackers rely on. Enable automatic updates so your Mac receives the latest patches as soon as they’re available. Pairing this with good digital hygiene, like avoiding shady downloads, dramatically lowers your risk of infection.
Kurt’s key takeaways
Cybercriminals know that when your Mac breaks, you’ll look for quick answers. Shamos takes advantage of that urgency by disguising itself as help. Staying safe means slowing down before you copy, paste, or download anything. If something feels off, it probably is.
Should Apple be doing more to protect Mac users from evolving threats like Shamos? Let us know your thoughts in the comments below.
FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
