Shamos malware tricks Mac users with fake fixes

Shamos malware tricks Mac users with fake fixes

New Mac threat steals passwords, crypto, and personal data through fake troubleshooting guides

by Kurt Knutsson
image_printPrint this article

A dangerous new malware campaign is targeting Mac users worldwide. Security researchers at CrowdStrike uncovered Shamos, a new variant of the Atomic macOS Stealer (AMOS), developed by a cybercriminal group called COOKIE SPIDER.

The attack relies on ClickFix tactics, where victims searching for Mac troubleshooting help are lured to fake websites or GitHub repositories. These spoofed sites trick users into copying and pasting a one-line command in Terminal, supposedly to fix an error. Instead, the command silently downloads Shamos, bypasses macOS Gatekeeper protections, and installs the malware.

Once inside, Shamos searches for sensitive data, Apple Notes, Keychain items, browser passwords, and even cryptocurrency wallets. The stolen information is zipped and sent directly to attackers, often alongside additional malware like botnet modules or fake Ledger wallet apps.

 

 

Malicious sponsored results on Google Search

Credit: CrowdStrike

 

How Shamos malware spreads on macOS

Cybercriminals distribute these fake “fixes” through malvertising campaigns and spoofed tech help sites with names like mac-safer[.]com or rescue-mac[.]com. These pages pose as trusted troubleshooting guides and appear in search results for common Mac issues, such as “how to flush resolver cache.”

The websites encourage victims to copy and paste commands that download malicious Bash scripts. These scripts grab the user’s password, remove file protections, and launch Shamos. With persistence tools installed, the malware can even restart with the system, keeping control long after the initial infection.

The fake help pages provide victims with false instructions for how to fix their problem

Credit: CrowdStrike

 

Tips to stay safe from Shamos malware

You can avoid falling victim to Shamos and similar threats with these proactive steps:

 

1) Never run commands you don’t understand

Copy-pasting commands into Terminal may seem like an easy fix, but it’s also one of the easiest ways for attackers to bypass Apple’s built-in protections. If you see a command on a website, forum, or GitHub repository, don’t execute it unless you fully understand what it does. Instead, confirm with Apple’s official support site or the Apple Community forums, where experienced users and moderators can verify safe troubleshooting steps.

 

2) Avoid sponsored results

Hackers know that when your Mac has a problem, you’ll search for a quick solution. That’s why they buy sponsored ads like the one below to push fake troubleshooting websites higher in search results. Clicking the top link may feel natural, but it could be a trap. Stick with trusted sources like Apple Support, or scroll past the ads to find legitimate guides.

 

False instructions for fixing printer issues on macOS

Credit: CrowdStrike

 

3) Be wary of GitHub projects

GitHub is an amazing resource for developers, but it’s also become a hotspot for malicious repositories that mimic legitimate software. Attackers often clone popular apps or tools, then hide malware inside. Before downloading anything, check the publisher’s name, stars, and activity history. If the account looks suspicious, inactive, or brand-new, avoid it.

More from CyberGuy
🔴 Free Live Class
Latest CyberGuy Report podcast episode

Watch the latest episode of The CyberGuy Report.

📱 Free class recording: Lock down your phone

Missed this event? Sign up via the registration form and see our live recording.

🛒 This week’s top Amazon deals

See Kurt’s latest Amazon picks for useful gadgets, smart home upgrades and everyday tech worth grabbing while the deals last.

×

Latest CyberGuy Report podcast episode

Reserve your free spot

 

4) Use strong antivirus protection

Mac malware is evolving fast, and Apple’s built-in security features can’t catch everything. A strong antivirus adds another layer of defense by scanning downloads, blocking malicious scripts, and detecting suspicious behavior in real time. Some security tools can even spot the one-line Terminal commands used by Shamos before they cause harm.

One of the top solutions we recommend is Norton Antivirus Plus, which extends protection beyond just traditional virus scanning. While iPhones have strong built-in security, Norton adds an important extra layer by helping block malicious websites, phishing links, and unsafe downloads before they can cause harm. If you accidentally tap a bad link in an email, text message, or social media post, Norton helps prevent access to known dangerous sites using its continuously updated threat intelligence. If you are interested in a strong antivirus with phone customer service, we recommend Norton Antivirus Plus. This product includes:
  • Strong real-time protection against viruses, malware, ransomware and hacking attempts
  • AI-powered scam protection to help identify suspicious emails, texts and websites
  • Built-in password manager to securely store and manage logins
  • 2 GB PC cloud backup to help protect important files from ransomware or hardware failure
  • Smart firewall and phishing protection
COVERAGE
  • Protects 1, 3 or 5 devices
  • Available for Windows, macOS, Android and iOS
  • Includes real-time threat protection, smart firewall and phishing protection to guard against online attacks
EXCLUSIVE CYBERGUY DEAL: 58% off (year 1) Please note that the above product is the core antivirus product. Norton may try to upsell additional products, but we don’t recommend them. We encourage you to decline those offers.

 

5) Use a personal data removal service

Since Shamos is designed to steal personal information and send it to cybercriminals, reducing your online footprint can help limit the fallout. A personal data removal service scans data broker sites and removes your exposed information, making it harder for attackers to resell or exploit it after a breach. While this won’t stop malware from stealing what’s on your Mac, it adds another layer of protection by minimizing the data criminals can use against you.

Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.

Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.

  • Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
  • Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
  • The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.

CyberGuy Exclusive: 60% off

CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.

The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.

Get Incogni and remove your info
Get Incogni’s Family Plan

   

 

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

 

6) Keep macOS updated

Apple regularly patches vulnerabilities in macOS that malware tries to exploit. By keeping your system up to date, you close the doors that attackers rely on. Enable automatic updates so your Mac receives the latest patches as soon as they’re available. Pairing this with good digital hygiene, like avoiding shady downloads, dramatically lowers your risk of infection.

 

 

Kurt’s key takeaways

Cybercriminals know that when your Mac breaks, you’ll look for quick answers. Shamos takes advantage of that urgency by disguising itself as help. Staying safe means slowing down before you copy, paste, or download anything. If something feels off, it probably is.

Should Apple be doing more to protect Mac users from evolving threats like Shamos? Let us know your thoughts in the comments below. 

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

 

 

Copyright 2025 CyberGuy.com.  All rights reserved.  CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.

image_printPrint this article

   
 
 
🎙 Now Streaming: My New Podcast: The CyberGuy Report

   


 

Kurt’s Top Deals

Deals move fast and inventory can be limited, so don’t wait too long.

🔥 Editor’s pick
Summer entertaining
Ninja SLUSHi Machine
(26% off)
Frozen drinks and slushies at home in minutes.
 
Patriotic pick
American Flag
(19% off)
Heavyweight outdoor American flag.
💰 Top deal
Outdoor essential
TYPEC Solar Bug Zapper
(36% off)
Solar-powered bug zappers for patios and camping.
 
Car tech
ROVE R3 Dash Cam
(33% off)
Front, rear and cabin camera coverage.

Leave a Comment

Free newsletter

Get my free CyberGuy Report

Get my latest tech news, security alerts, tips and deals delivered straight to your inbox.

No spam. No sharing your email. Ever.

🎁

Bonus: Get my FREE Ultimate Scam Survival Guide instantly when you sign up.

By signing up, you agree to our Terms of Service and Privacy Policy . You may unsubscribe at any time.

Tips to avoid our newsletters going to your junk folder