The first to discover malicious Google ads was security researcher Ryan Chenkie. According to Bleeping Computer, the malware used in this campaign is AmosStealer (aka Atomic). This infostealer is designed for systems running macOS and is available as a subscription ($1,000 per month).
In the past, this malware was spotted in other malvertising campaigns promoting fake Google Meet pages. According to researchers, AmosStealer is currently the main infostealer for hackers targeting Apple users.
Homebrew is a third-party package manager for macOS and Linux whose popularity is being exploited by criminals. Malvertisements spotted on Google displayed the correct URL brew.sh, which misled even users familiar with the project. However, these ads actually redirected victims to a fake Homebrew website located at brewe[.]sh.
It must be noted that malefactors have been using this tactics (i.e. displaying trusted URLs in their ads to trick users into visiting supposedly official sites) for a long time. Earlier, experts found similar malicious ads disguised as Google Authenticator and Google Ads.
In the new malware campaign, the potential victim goes to a fake website and is prompted to install Homebrew by pasting a command shown in the macOS Terminal or a Linux shell prompt. Importantly, the real Homebrew website prompts the user to execute a similar command to install legitimate software. But after executing the command on the fake website, the Amos infostealer is downloaded to the user’s device; this malware targets over 50 cryptocurrency extensions, desktop wallets (including Binance, Coinomi, Electrum, and Exodus), and data stored on web browsers.
Homebrew’s project leader, Mike McQuaid, told journalists that the Homebrew developers are aware of the situation, but emphasized that it’s beyond their control, criticizing Google for its lack of scrutiny.
There’s little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good”, – McQuaid said.
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →