The first to discover malicious Google ads was security researcher Ryan Chenkie. According to Bleeping Computer, the malware used in this campaign is AmosStealer (aka Atomic). This infostealer is designed for systems running macOS and is available as a subscription ($1,000 per month).
In the past, this malware was spotted in other malvertising campaigns promoting fake Google Meet pages. According to researchers, AmosStealer is currently the main infostealer for hackers targeting Apple users.
Homebrew is a third-party package manager for macOS and Linux whose popularity is being exploited by criminals. Malvertisements spotted on Google displayed the correct URL brew.sh, which misled even users familiar with the project. However, these ads actually redirected victims to a fake Homebrew website located at brewe[.]sh.
It must be noted that malefactors have been using this tactics (i.e. displaying trusted URLs in their ads to trick users into visiting supposedly official sites) for a long time. Earlier, experts found similar malicious ads disguised as Google Authenticator and Google Ads.
In the new malware campaign, the potential victim goes to a fake website and is prompted to install Homebrew by pasting a command shown in the macOS Terminal or a Linux shell prompt. Importantly, the real Homebrew website prompts the user to execute a similar command to install legitimate software. But after executing the command on the fake website, the Amos infostealer is downloaded to the user’s device; this malware targets over 50 cryptocurrency extensions, desktop wallets (including Binance, Coinomi, Electrum, and Exodus), and data stored on web browsers.
Homebrew’s project leader, Mike McQuaid, told journalists that the Homebrew developers are aware of the situation, but emphasized that it’s beyond their control, criticizing Google for its lack of scrutiny.
There’s little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good”, – McQuaid said.
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →