CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Shamos Infostealer Targeting Mac Devices via ClickFix Attacks

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

In March 2026, Apple introduced a Terminal security feature in macOS Tahoe 26.4 that blocks execution of pasted commands and warns users of potential risks, directly targeting ClickFix-style social engineering attacks used to distribute malware such as Shamos and MacSync. Since June 2025, the COOKIE SPIDER group’s Shamos infostealer has targeted Mac devices via ClickFix attacks, stealing data and credentials from browsers, Keychain, Apple Notes, and cryptocurrency wallets. Early variants relied on malvertising and fake GitHub repositories to trick users into executing shell commands, while later MacSync variants used digitally signed, notarized Swift applications to bypass Gatekeeper checks. Recent campaigns have leveraged legitimate platforms like Cloudflare Pages and Squarespace to host malicious installers, with ClickFix evolving to require minimal user pretexts.

Timeline

  1. 16.03.2026 13:41 2 articles · 15d ago

    ClickFix campaigns evolve to use legitimate platforms for distribution

    ClickFix campaigns have evolved to use legitimate platforms like Cloudflare Pages and Squarespace to host bogus installation instructions. The InstallFix variant of ClickFix tricks users into installing infostealer malware without needing additional pretexts. At least 20 distinct malware campaigns targeting AI and vibe coding tools have been identified, with nine affecting both Windows and macOS. The KongTuke TDS uses compromised WordPress websites and fake CAPTCHA lures to deliver the ModeloRAT trojan. ClickFix-style attacks have been used to distribute various malware families, including StealC Stealer, Vidar Stealer, Impure Stealer, and VodkaStealer. Apple’s Terminal security feature in macOS Tahoe 26.4 specifically targets the command execution stage of ClickFix attacks, reducing the risk of successful infections even when lures are hosted on legitimate platforms.

    Show sources
    Open in new tab
  2. 22.12.2025 22:43 5 articles · 3mo ago

    New MacSync variant bypasses macOS Gatekeeper checks

    Three distinct ClickFix campaigns have been identified distributing the MacSync infostealer via fake AI tool installers. The campaigns use various lures, including OpenAI Atlas browser and ChatGPt conversations, to trick users into executing malicious commands. The latest variant of MacSync supports dynamic AppleScript payloads and in-memory execution to evade detection. The shell script retrieves the AppleScript infostealer payload from a hard-coded server and removes evidence of data theft. The malware harvests credentials, files, keychain databases, and cryptocurrency wallet seed phrases. Apple’s Terminal warning system in macOS Tahoe 26.4 adds another layer of defense by disrupting the execution phase of ClickFix attacks, though the feature’s effectiveness depends on command analysis and user behavior.

    Show sources
    Open in new tab
  3. 22.08.2025 18:44 3 articles · 7mo ago

    Shamos infostealer targeting Mac devices via ClickFix attacks

    Since June 2025, Shamos infostealer has attempted infections in over three hundred environments. The malware, developed by the COOKIE SPIDER group, steals data and credentials from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. It is distributed through ClickFix attacks using malvertising and fake GitHub repositories. The malware uses anti-VM commands, AppleScript for reconnaissance, and creates persistence through a Plist file. Users are advised to avoid executing unknown commands and to seek help from trusted sources. Apple’s March 2026 macOS Tahoe 26.4 update introduces a Terminal security feature that blocks pasting and executing potentially harmful commands and warns users of risks, directly targeting ClickFix attack vectors used in Shamos and related campaigns.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Russian UNC6353 Uses Coruna and Darksword iOS Exploit Kits Across iOS 13–18.7 Targeting Financial Espionage and Data Theft

Apple has begun sending Lock Screen notifications to iPhones and iPads running outdated iOS versions warning users of active web-based exploits and urging immediate updates. This follows Apple’s support document alerting users to exploit kits like Coruna (targeting iOS 13–18.7) and Darksword (targeting iOS 18.4–18.7) and the public leak of a newer Darksword version on GitHub. Coruna and Darksword are now independently confirmed as closely related frameworks with shared origins in the 2019–2023 Operation Triangulation campaign, reinforcing attribution to Russian threat actor UNC6353 and associated groups. Coruna has evolved from a precision espionage tool into a mass-exploitation framework with 23 exploits across five chains, while Darksword is now publicly leaked and targets iOS 18.7. Apple has patched all exploited flaws in recent releases (18.7.3, 26.2, 26.3.1), and CISA has mandated federal agencies patch three DarkSword-linked vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) by April 3, 2026. Campaigns linked to UNC6353, UNC6748, and Turkish vendor PARS Defense highlight the growing commoditization of iOS exploitation tools and elevated risk to end-users globally.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab

Android Malware Campaign Abuses Hugging Face Platform

A new Android malware campaign leverages the Hugging Face platform to distribute thousands of variants of an APK payload designed to steal credentials from popular financial and payment services. The attack begins with a dropper app called TrustBastion, which uses scareware-style ads to lure victims into installing it. The malware then redirects to a Hugging Face repository to download the final payload, using server-side polymorphism to evade detection. The malware exploits Android’s Accessibility Services to capture screenshots, monitor user activity, and steal credentials. The campaign was discovered by Bitdefender researchers, who found over 6,000 commits in the repository. The repository was taken down but resurfaced under a new name, 'Premium Club,' with the same malicious code. Bitdefender has published indicators of compromise and informed Hugging Face, which removed the malicious datasets. The infection chain begins when users download the malicious Android app TrustBastion, which appears as scareware via popups claiming the device is infected with malware. The dropper app prompts users to run an update that mimics legitimate Google Play and Android system update dialog boxes. The dropper contacts an encrypted endpoint hosted at trustbastion[.]com, which returns an HTML file containing a redirect link to the Hugging Face repository hosting the malware. The malware masquerades as a 'Phone Security' feature to guide users through enabling Accessibility Services. The malware requests permissions for screen recording, screen casting, and overlay display to monitor all user activity and capture screen content. The malware captures lockscreen information for security verification of financial and payment services.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious GitHub campaign, tracked as **"TroyDen's Lure Factory"**, is distributing over **300 Trojanized packages**, including a fake **OpenClaw Docker deployer**, to deliver a LuaJIT-based data-stealing Trojan. The campaign targets developers, gamers, and the general public with lures ranging from AI tools to game cheats, exploiting automated analysis gaps by splitting the payload into two components—a renamed Lua runtime and an encrypted script—that evade detection when analyzed separately. Once executed, the Trojan captures screenshots, performs geolocation, and exfiltrates credentials to a Frankfurt-based C2 server, with a **29,000-year sleep delay** to defeat sandboxes. GitHub was notified on **March 20, 2026**, but at least two lure repositories remain active. This follows a pattern of **supply-chain and social engineering attacks** leveraging OpenClaw’s popularity, including prior incidents like the **Cline npm compromise** (February 2026), **malicious ClawHub skills** pushing info-stealers, and **exposed OpenClaw instances** (40,000+ vulnerable deployments globally). Chinese authorities have restricted OpenClaw usage in state-run enterprises due to its **privileged system access and prompt injection risks**, while threat actors continue to distribute **fake installers** (e.g., Atomic Stealer, Vidar, GhostSocks proxy malware). Users are urged to **verify repository authenticity, isolate AI tools, and audit environments** for unexpected OpenClaw installations.

Open in new tab

ErrTraffic Service Enables Automated ClickFix Attacks via Fake Browser Glitches

A new cybercrime tool called ErrTraffic automates ClickFix attacks by generating fake browser glitches on compromised websites to trick users into downloading malware or following malicious instructions. The service promises high conversion rates and delivers architecture-specific payloads. ClickFix attacks have gained popularity among cybercriminals and state-sponsored actors for bypassing security controls. ErrTraffic is sold for a one-time purchase of $800 and offers a user-friendly panel for campaign management. It modifies the DOM of compromised websites to display visual glitches, prompting victims to execute malicious commands. Payloads include Lumma and Vidar info-stealers on Windows, Cerberus trojan on Android, AMOS stealer on macOS, and unspecified Linux backdoors.

Open in new tab