Cybercriminals deploy Shamos malware via fake mac repair sites

A new dangerous campaign of malware targets Mac users worldwide. Crowdstrike safety researchers have discovered Shamos, a new variant of the atomic macos thief (Amos), developed by a cybercriminal group called Cookie Spider.

The attack is based on clickfix tactics, where victims looking for Mac troubleshooting help are attracted to false websites or Github standards. These usurped sites encourage users to copy and stick an online command in the terminal, supposed to repair an error. Instead, the command silently downloads Shamos, bypassing Gatekeeper MacOS protections and installs malicious software.

Once inside, Shamos is looking for sensitive data, Apple notes, trousseau elements, browser passwords and even cryptocurrency wallets. The stolen information is zipped and sent directly to the attackers, often alongside additional malware such as botnet modules or fake large book portfolio applications.

Register for my free cyberguy report
Get my best technological advice, my urgent safety alerts and my exclusive offers delivered directly in your reception box. In addition, you will have instant access to my survival guide at the ultimate – free swindle when you join my Cyberguy.com/newsletter

10 ways to secure your older mac threats and malware

How Shamos malware propagates on macOS

Cybercriminals distribute these false “corrective” through so-called “malvertling” campaigns and technological assistance sites usurped with names like Mac-SAFER[.]com or rescue-mac[.]com. These pages pose confidence troubleshooting guides and appear in search results for current Mac problems, such as “how to rinse the resolver cache”.

The websites encourage victims to copy and paste orders that download malicious scripts. These scripts enter the user’s password, delete file protections and launch Shamos. With installed persistence tools, malware can even restart next to the system, keeping control long after the initial infection.

Castchagedon signals a dangerous change

A false aid page provides victims with false instructions on how to solve problems with their Mac computer. (Crowdsstrike)

Advice to stay away from Shamos malware

You can avoid being the victim of Shamos and similar threats with these proactive steps:

1) Never execute the orders you don’t understand

Copy commands in the terminal may seem an easy solution, but it is also one of the simplest ways for attackers to bypass Apple’s integrated protections. If you see an order on a website, a forum or a GitHub repository, do not run it unless you fully understand what it does. Instead, confirm with Apple’s official assistance site or Apple community forums, where experienced users and moderators can check the safe breakdown stages.

2) Avoid sponsored results

Pirates know that when your Mac has a problem, you will look for a quick solution. This is why they buy sponsored advertisements like the one below to push the false troubleshooting sites in the search results. Click on the upper link may seem natural, but it could be a trap. Stay with sources of trust such as Apple support, or scroll through the announcements to find legitimate guides.

Click here to obtain the Fox News app

False instructions on how to solve printer problems on macOS. (Crowdsstrike)

3) Beware of GitHub projects

Github is an incredible resource for developers, but it has also become a hotspot for malicious benchmarks that imitate legitimate software. The attackers often clone applications or popular tools, then mask malware inside. Before downloading anything, see the publisher’s name, stars and activities history. If the account seems suspicious, inactive or new, avoid it.

4) Use high antivirus protection

Mac malware is quickly evolving and Apple’s integrated safety features cannot catch everything. A strong antivirus adds another defense layer by scanning downloads, blocking malicious scripts and detecting suspicious behavior in real time. Some safety tools may even identify orders from the online terminal used by Shamos before harming.

Get my choices for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices Cyberguy.com/lockupyourtech

5) Use a personal data deletion service

Since Shamos is designed to steal personal information and send it to cybercriminals, reducing your online imprint can help limit the benefits. A personal data deletion service analyzes the data broker sites and delete your information exposed, which makes it more difficult for attackers to resell or exploit them after a violation. Although this will not prevent malware from stealing what is on your Mac, it adds another protective layer by minimizing the data that criminals can use against you.

Consult my best choices for data deletion services and get a free analysis to find out if your personal information is already on the web by visiting Cyberguy.com/delete

Get a free scan to find out if your personal information is already on the web: Cyberguy.com/freescan

6) Keep the macOS up to date

Apple regularly corrects vulnerabilities in macOS that malware is trying to exploit. By keeping your system up to date, you close the doors on which the attackers rely. Activate the automatic updates, so that your Mac receives the latest fixes as soon as they are available. Associating it with good digital hygiene, such as avoiding shaded downloads, considerably reduces your risk of infection.

Kurt’s main dishes

Cybercriminals know that when your Mac breaks, you will look for quick answers. Shamos takes advantage of this emergency by disguising himself. Staying safe means slowing down before copying, sticking or downloading anything. If something feels turned off, this is probably the case.

Should Apple do more to protect Mac users from threats to Shamos? Let us know by writing to Cyberguy.com/contact

Register for my free cyberguy report
Get my best technological advice, my urgent safety alerts and my exclusive offers delivered directly in your reception box. In addition, you will have instant access to my survival guide at the ultimate – free swindle when you join my Cyberguy.com/newsletter

Copyright 2025 cyberguy.com. All rights reserved.