CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Shamos Infostealer Targeting Mac Devices via ClickFix Attacks

First reported
Last updated
3 unique sources, 9 articles

Summary

Hide ▲

Since June 2025, the COOKIE SPIDER group’s Shamos infostealer and Atomic macOS Stealer (AMOS) variants have targeted Mac devices via evolving ClickFix social engineering campaigns, stealing data and credentials from browsers, Keychain, Apple Notes, and cryptocurrency wallets. Early campaigns used malvertising, fake GitHub repositories, and signed Swift applications hosted on legitimate platforms, while also leveraging Terminal-based ClickFix tactics and obfuscated payloads. In March 2026, Apple introduced a Terminal security feature in macOS Tahoe 26.4 to disrupt ClickFix attack chains by blocking pasted command execution and warning users of risks. A major evolution emerged in April 2026 when Jamf researchers observed attackers abusing the built-in Script Editor application to bypass these protections using fake Apple-themed disk cleanup guides and malicious applescript:// URL scheme execution. The Script Editor-based ClickFix variation enabled theft of Keychain data, browser autofill, cryptocurrency wallet extensions, and system details without Terminal interaction, and introduced a backdoor component for persistent access. Most recently, SentinelOne has identified a new SHub macOS infostealer variant, dubbed Reaper, which further refines the Script Editor-based ClickFix attack vector. Reaper uses a fake Apple security update message displayed via the applescript:// URL scheme to launch Script Editor with a malicious AppleScript payload dynamically constructed and hidden under ASCII art. The malware bypasses Apple’s Terminal mitigations, performs device fingerprinting to evade sandboxes, and targets extensive data across browsers, wallets, password managers, iCloud, Telegram, and developer files. It includes a Filegrabber module for collecting sensitive documents and a wallet hijacking mechanism that replaces legitimate application files with malicious payloads. Reaper establishes persistence via a Google software update impersonation script registered as a LaunchAgent, enabling periodic beaconing to the C2 server and remote payload execution. Notably, the malware includes geofencing to avoid infecting Russian systems and represents an escalation in capabilities, incorporating remote access functionality to allow additional malware deployment on compromised macOS devices.

Timeline

  1. 16.03.2026 13:41 2 articles · 2mo ago

    ClickFix campaigns evolve to use legitimate platforms for distribution

    ClickFix campaigns have evolved to use legitimate platforms like Cloudflare Pages and Squarespace to host bogus installation instructions. The InstallFix variant of ClickFix tricks users into installing infostealer malware without needing additional pretexts. At least 20 distinct malware campaigns targeting AI and vibe coding tools have been identified, with nine affecting both Windows and macOS. The KongTuke TDS uses compromised WordPress websites and fake CAPTCHA lures to deliver the ModeloRAT trojan. ClickFix-style attacks have been used to distribute various malware families, including StealC Stealer, Vidar Stealer, Impure Stealer, and VodkaStealer. Apple’s Terminal security feature in macOS Tahoe 26.4 specifically targets the command execution stage of ClickFix attacks, reducing the risk of successful infections even when lures are hosted on legitimate platforms.

    Show sources
    Open in new tab
  2. 22.12.2025 22:43 8 articles · 4mo ago

    New MacSync variant bypasses macOS Gatekeeper checks

    Three distinct ClickFix campaigns have been identified distributing the MacSync infostealer via fake AI tool installers. The campaigns use various lures, including OpenAI Atlas browser and ChatGPt conversations, to trick users into executing malicious commands. The latest variant of MacSync supports dynamic AppleScript payloads and in-memory execution to evade detection. The shell script retrieves the AppleScript infostealer payload from a hard-coded server and removes evidence of data theft. The malware harvests credentials, files, keychain databases, and cryptocurrency wallet seed phrases. Apple’s Terminal warning system in macOS Tahoe 26.4 adds another layer of defense by disrupting the execution phase of ClickFix attacks, though the feature’s effectiveness depends on command analysis and user behavior. A new April 2026 campaign observed by Jamf researchers demonstrates attackers abusing the built-in Script Editor application to bypass Terminal protections. The campaign uses fake Apple-themed disk cleanup guides to prompt victims to launch Script Editor via the applescript:// URL scheme, executing an obfuscated payload in system memory that delivers Atomic Stealer (AMOS). The Script Editor variation does not require manual Terminal interaction, marking a significant evolution in ClickFix attack tactics. The current article provides additional technical detail on the Script Editor-based ClickFix attack flow and confirms its role in delivering AMOS while evading Terminal warnings. This update also documents the SHub Reaper variant’s use of the same Script Editor-based ClickFix vector, leveraging fake security update lures to deliver a backdoor-enabled infostealer with expanded data theft, file grabbing, wallet hijacking, and persistence mechanisms.

    Show sources
    Open in new tab
  3. 22.08.2025 18:44 6 articles · 9mo ago

    Shamos infostealer targeting Mac devices via ClickFix attacks

    Since June 2025, Shamos infostealer has attempted infections in over three hundred environments. The malware, developed by the COOKIE SPIDER group, steals data and credentials from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. It is distributed through ClickFix attacks using malvertising and fake GitHub repositories. The malware uses anti-VM commands, AppleScript for reconnaissance, and creates persistence through a Plist file. Apple’s March 2026 macOS Tahoe 26.4 update introduces a Terminal security feature that blocks pasting and executing potentially harmful commands and warns users of risks, directly targeting ClickFix attack vectors used in Shamos and related campaigns. A new April 2026 campaign observed by Jamf researchers demonstrates attackers abusing the built-in Script Editor application to bypass Terminal protections. The campaign uses fake Apple-themed disk cleanup guides to prompt victims to launch Script Editor via the applescript:// URL scheme, executing an obfuscated payload in system memory that delivers Atomic Stealer (AMOS). The Script Editor variation does not require manual Terminal interaction, marking a significant evolution in ClickFix attack tactics. The current article confirms the Script Editor-based ClickFix variation identified on April 8, 2026, and details its use of browser-triggered workflows to launch Script Editor and evade Terminal warnings. Additionally, it clarifies that SHub’s Reaper variant continues to exploit this Script Editor-based ClickFix vector to bypass Terminal mitigations and deliver infostealer payloads with expanded capabilities including backdoor access and geofencing to avoid infecting Russian-language systems.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Living-Off-the-Land (LOTL) abuse of native utilities expands to macOS as primary intrusion tactic in enterprise environments

Threat actors are increasingly leveraging legitimate, native system tools across both Windows and macOS environments to conduct attacks, achieving lateral movement, privilege escalation, and persistence while evading detection. Analysis of over 700,000 high-severity incidents indicates that 84% now involve abuse of trusted utilities—practices known as Living off the Land (LOTL). This shift reduces reliance on malware and exploits, exploiting operational blind spots created by necessary administrative tools. Recent research from Cisco Talos highlights the expansion of LOTL techniques to macOS native features such as Remote Application Scripting (RAS), Spotlight metadata, and Apple Events, enabling covert execution, persistence, and lateral movement. More than 45% of organizations now use macOS in enterprise settings—often holding sensitive credentials, cloud access, and source code—making the platform a high-value target. Attackers abuse RAS to issue remote commands without triggering shell-based monitoring, embed malicious payloads in Finder comments stored as Spotlight metadata, and leverage protocols like SMB, Netcat, Git repositories, TFTP, and SNMP for covert data transfer and movement. The technique remains the dominant intrusion vector, progressing undetected until significant compromise occurs, particularly due to limited visibility into macOS-native behaviors and reliance on legitimate system processes.

Open in new tab

Venom Stealer infostealer kit introduces continuous credential harvesting via malware-as-a-service model

A newly identified infostealer malware kit named Venom Stealer is offered as a malware-as-a-service (MaaS) subscription priced at $250 per month or $1,800 lifetime, enabling continuous credential harvesting and wallet cracking operations. The kit targets Windows and macOS systems via deceptive social engineering lures integrated into its operator panel, including fake Cloudflare CAPTCHA pages, OS update prompts, SSL certificate errors, and font installation pages. Victims are tricked into executing commands via Run dialog or Terminal, bypassing detection systems by appearing user-initiated. Upon execution, it extracts and exfiltrates browser credentials, session cookies, browsing history, autofill data, cryptocurrency wallet vaults, browser extension data, and system fingerprints from Chromium and Firefox browsers. Venom Stealer distinguishes itself by maintaining silent persistence through a background session listener that reports new credentials and wallet activity to command-and-control infrastructure twice daily, and by continuously monitoring Chrome's login database to capture newly saved credentials in real time. Exfiltrated cryptocurrency wallet data is processed by a server-side GPU cracking engine, with funds automatically transferred across multiple blockchain networks including tokens and DeFi positions, undermining password rotation and incident response efforts.

Open in new tab

Infinity Stealer macOS infostealer delivered via ClickFix CAPTCHA lures

A new macOS-targeting infostealer named Infinity Stealer is being distributed via ClickFix CAPTCHA lures impersonating Cloudflare’s human verification, leading victims to execute a base64-obfuscated Bash command that fetches and runs a Nuitka-compiled Python payload. The attack abuses a fake CAPTCHA on update-check[.]com to bypass OS defenses and install a Mach-O loader that extracts a zstd-compressed archive containing the stealer. Infinity Stealer harvests browser credentials, macOS Keychain entries, cryptocurrency wallets, and plaintext secrets from developer files, and exfiltrates data via HTTP POST to C2 with Telegram notifications to operators.

Open in new tab

InstallFix Campaign Expands to macOS via Google Ads and Abused Claude.ai Chats

Threat actors are expanding the InstallFix social engineering technique to abuse Google Ads and legitimate Claude.ai shared chats to distribute macOS malware. The attackers create weaponized installation guides embedded in publicly accessible Claude chats, tricking users into executing malicious commands that download and execute infostealers such as MacSync and in-memory loader scripts. The campaigns target macOS users searching for 'Claude mac download' via malvertising on Google Ads, using Anthropic's real claude.ai domain in sponsored search results. The malware variants harvest browser credentials, cookies, and macOS Keychain contents while evading detection through in-memory execution and selective victim profiling.

Open in new tab

Russian UNC6353 Uses Coruna and Darksword iOS Exploit Kits Across iOS 13–18.7 Targeting Financial Espionage and Data Theft

Apple has expanded security updates for iOS 18.7.7 and iPadOS 18.7.7 to protect devices still running iOS 18 from the DarkSword exploit kit, without requiring full OS upgrades. This follows continued exploitation of DarkSword since July 2025 across multiple countries, with attacks leveraging six vulnerabilities to deploy data-stealing malware like GhostBlade, GhostKnife, and GhostSaber through watering hole attacks on compromised websites. The campaign remains linked to Russian threat actor UNC6353 and associated groups including UNC6748 and Turkish vendor PARS Defense, with Coruna and Darksword exploit kits now confirmed as closely related frameworks sharing origins in the 2019–2023 Operation Triangulation campaign. Coruna has evolved from a precision espionage tool into a mass-exploitation framework with 23 exploits across five chains, while Darksword targets iOS 18.4–18.7 and has been publicly leaked on GitHub. Apple has patched all exploited flaws in recent releases (18.7.3, 26.2, 26.3.1), and CISA has mandated federal agencies patch three DarkSword-linked vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) by April 3, 2026. The commoditization of these iOS exploitation tools elevates risk to end-users globally.

Open in new tab