Shamos Stealer is an insidious infostealer—part of the AMOS (Atomic) stealer family—specifically targeting macOS systems. It’s offered as a Malware-as-a-Service (MaaS) by the COOKIE SPIDER cybercriminal group and has been active since at least summer 2025. It sneaks onto Macs via deceptive “ClickFix” scams that trick users into pasting malicious commands into Terminal.
Scan Your Your Device for Shamos Stealer
✅ Detects & Removes Malware
🛡️ Protects against infections
✅ Free Scan
✅13M Scans/Month
Don’t leave your system unprotected. Download SpyHunter today for free, and scan your device for malware, scams, or any other potential threats. Stay Protected!
Threat Summary
| Threat Name | Shamos Stealer (Shamos malware) |
|---|---|
| Threat Type | Mac infostealer / Mac virus |
| Encrypted File Extension | N/A (targets data, not encryption) |
| Ransom Note Filename | N/A |
| Email Contact | N/A |
| Detection Names | Avast (MacOS:Stealer‑CH [Pws]), ESET‑NOD32 (A Variant Of OSX/PSW.Agent.EA), Kaspersky (HEUR:Trojan‑PSW.OSX.Amos.an), Combo Cleaner (Trojan.Generic.38101909) |
| Symptoms | No visible symptoms—runs silently to steal data |
| Damage & Distribution | Data exfiltration (passwords, cookies, Keychain, Apple Notes, crypto wallets); distributed via malvertising, fake GitHub pages, SEO poisoning “ClickFix” scams |
| Danger Level | High—steals highly sensitive credentials and financial data, may install additional payloads (e.g. fake Ledger Live, botnet modules) |
| SpyHunter Removal Tool | SpyHunter for non‑ransomware malware |
How Did I Get Infected With Shamos Ransomware?
You likely landed on a carefully crafted fake support site—such as mac‑safer[.]com or rescue‑mac[.]com—or a bogus GitHub page. These sites urge you to copy-paste a Terminal command to “fix” an issue or install helpful software. In reality, this command downloads a Bash script—which:
- Bypasses Gatekeeper by stripping extended file attributes
- Grants executable permissions via
chmod, installs the Shamos Mach‑O binary, and runs it
Once running, the script captures credentials, stealer files, and initiates the infostealer.
What Shamos Ransomware Does to Your Files
- Performs anti-analysis checks—detecting sandbox or VM environments
- Gathers sensitive data via:
- AppleScript routines for reconnaissance
- Collections from Keychain, Apple Notes, browsers, and cryptocurrency wallet files
- Compiles all harvested data into an
out.ziparchive and sends it to the attackers usingcurl - If executed with
sudo, drops a LaunchDaemon Plist (e.g.,com.finder.helper.plist) for persistence and may install extra harmful payloads like a fake Ledger Live app or a botnet module
Should You Be Worried About Shamos Ransomware?
Absolutely. It operates stealthily, targeting nearly all confidential data stored on your Mac—even items you believed were secure, like Keychain passwords or encrypted wallet files. The malware’s stealthy behavior and deep access make it one of the more dangerous threats for macOS users.
Manual Removal Steps
WARNING: Manual removal is risky. Only proceed if you’re confident with macOS internals.
Step 1: Quit Suspicious Processes
- Open Activity Monitor (
Applications > Utilities). - Search for unfamiliar or resource-heavy processes (e.g.,
AtomicStealer,MacStealer, etc.). - Select and click the “X” to force quit.
Step 2: Remove Malicious Applications
- Go to
Applicationsfolder. - Look for apps you didn’t install or that appeared recently.
- Drag them to the Trash, then empty the Trash.
Step 3: Delete Launch Agents and Daemons
- Open Finder →
Go > Go to Folder… - Check the following locations for malicious .plist or .app files:javascriptCopyEdit
~/Library/LaunchAgents/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/Application Support/ ~/Library/Preferences/ /Library/Application Support/ - Remove anything suspicious (files with random names or unknown origin).
Step 4: Check Login Items
- Go to System Settings > General > Login Items.
- Remove any suspicious items from “Open at Login”.
Step 5: Reset Browsers (if hijacked)
Safari:
- Preferences > Extensions > Remove suspicious extensions
- Preferences > Homepage > Set to preferred homepage
- Clear History and Website Data
Chrome:
chrome://extensions→ Remove malicious extensionschrome://settings/reset→ Reset settings to default
Firefox:
about:addons→ Remove unknown add-onsabout:support→ Click “Refresh Firefox”
Automated Removal (Recommended)
Scan Your Your Device for Shamos Stealer
✅ Detects & Removes Malware
🛡️ Protects against infections
✅ Free Scan
✅13M Scans/Month
Don’t leave your system unprotected. Download SpyHunter today for free, and scan your device for malware, scams, or any other potential threats. Stay Protected!
Manual removal may miss hidden components. For full cleanup and future protection, use a trusted anti-malware tool.
✅ Recommended Tool: SpyHunter for Mac
- Detects hidden Trojans, keyloggers, stealers, and malware droppers
- Removes all components, including launch agents and hidden scripts
- Prevents future infections with real-time protection
🔍 Download SpyHunter for Mac
Scan your Mac for threats and remove them automatically.
Prevent Future Infections
- Enable System Integrity Protection (SIP) and Gatekeeper
- Only install apps from the Mac App Store or verified developers
- Keep macOS and all apps updated
- Use a strong antivirus with real-time protection
- Never open suspicious email attachments or links
- Use a password manager and avoid reusing passwords
Conclusion
Shamos Stealer is a potent, silent infostealer masquerading as legitimate tech help. Its tactic of tricking users via fake fixes—ClickFix scams—makes it especially dangerous. If you suspect any infection, act fast. Run a full antivirus scan using a reputable tool like SpyHunter, and avoid executing unknown Terminal commands or unsourced files from the web.
Scan Your Your Device for Shamos Stealer
✅ Detects & Removes Malware
🛡️ Protects against infections
✅ Free Scan
✅13M Scans/Month
Don’t leave your system unprotected. Download SpyHunter today for free, and scan your device for malware, scams, or any other potential threats. Stay Protected!
