A New macOS Malware Is Using “ClickFix” to Steal Passwords and Crypto Wallets
Researchers at CrowdStrike have identified a new macOS infection campaign deploying a malware strain known as Shamos. This trojan is a variant of Atomic macOS Stealer (AMOS), a notorious Mac infostealer, and is being operated by the threat group COOKIE SPIDER. Shamos is primarily designed to exfiltrate passwords, Keychain credentials, Apple Notes entries, cryptocurrency wallets, and browser data.
Since June 2025, Shamos has been detected in more than 300 infections worldwide. Its distribution leverages the ClickFix technique, in which attackers disguise malicious instructions as system fixes or configuration tips. Most often, the lure comes through online ads or fraudulent GitHub repositories. Victims are tricked into copying and executing a command in the macOS Terminal, supposedly to resolve driver or printer issues. In reality, the command decodes a Base64-encoded URL and fetches a malicious Bash script from a remote server.
The script’s first action is to capture the device owner’s password. It then downloads the Shamos binary, removes its quarantine flag using xattr, and makes it executable with chmod, thereby bypassing Gatekeeper protections. Once executed, the malware checks whether it is running inside a virtualized environment and issues a series of AppleScript commands to conduct reconnaissance and harvest system information.
The stolen data is compressed into an archive named out.zip and transmitted to the operators’ server via curl. If Shamos executes with administrative privileges, it persists by creating com.finder.helper.plist in the LaunchDaemons directory, ensuring automatic startup with macOS. CrowdStrike further notes that Shamos can download additional modules, including a counterfeit Ledger Live app for cryptocurrency wallet management, as well as botnet components.
ClickFix attacks are rapidly becoming one of the most common malware delivery methods. Once disguised as CAPTCHAs, Google Meet tips, or TikTok tutorials, they are now masquerading as macOS “bug fixes.” Their effectiveness is so pronounced that the technique has been adopted not only by cybercriminal groups but also by state-backed actors in targeted campaigns.
For macOS users, the advice is clear: never execute commands sourced from random online instructions, especially those embedded in advertisements or unverified GitHub repositories. Instead, seek guidance through the system’s built-in Help function (Cmd + Space → Help) or through official Apple Community forums, where posts are moderated for safety.
