Fake Homebrew Infects macOS and Linux Machines with infostealer

📟 News

Date: 22/01/2025

Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.

The first to discover malicious Google ads was security researcher Ryan Chenkie. According to Bleeping Computer, the malware used in this campaign is AmosStealer (aka Atomic). This infostealer is designed for systems running macOS and is available as a subscription ($1,000 per month).

In the past, this malware was spotted in other malvertising campaigns promoting fake Google Meet pages. According to researchers, AmosStealer is currently the main infostealer for hackers targeting Apple users.

Homebrew is a third-party package manager for macOS and Linux whose popularity is being exploited by criminals. Malvertisements spotted on Google displayed the correct URL brew.sh, which misled even users familiar with the project. However, these ads actually redirected victims to a fake Homebrew website located at brewe[.]sh.

Malicious ad (source: @ryanchenkie)
Malicious ad (source: @ryanchenkie)

It must be noted that malefactors have been using this tactics (i.e. displaying trusted URLs in their ads to trick users into visiting supposedly official sites) for a long time. Earlier, experts found similar malicious ads disguised as Google Authenticator and Google Ads.

In the new malware campaign, the potential victim goes to a fake website and is prompted to install Homebrew by pasting a command shown in the macOS Terminal or a Linux shell prompt. Importantly, the real Homebrew website prompts the user to execute a similar command to install legitimate software. But after executing the command on the fake website, the Amos infostealer is downloaded to the user’s device; this malware targets over 50 cryptocurrency extensions, desktop wallets (including Binance, Coinomi, Electrum, and Exodus), and data stored on web browsers.

Fake website (source: @ryanchenkie)
Fake website (source: @ryanchenkie)

Homebrew’s project leader, Mike McQuaid, told journalists that the Homebrew developers are aware of the situation, but emphasized that it’s beyond their control, criticizing Google for its lack of scrutiny.

There’s little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good”, – McQuaid said.

Related posts:
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →