Google advertisements for pretend Homebrew, LogMeIn websites push infostealers

A brand new malicious marketing campaign is focusing on macOS builders with pretend Homebrew, LogMeIn, and TradingView platforms that ship infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey.

The marketing campaign employs “ClickFix” methods the place targets are tricked into executing instructions in Terminal, infecting themselves with malware.

Homebrew is a well-liked open-source package deal administration system that makes it simpler to put in software program on macOS and Linux. Risk actors have used previously the platform’s identify to distribute AMOS in malvertising campaigns.

LogMeIn is a distant entry service, and TradingView is a monetary charting and market evaluation platform, each broadly utilized by Apple customers.

Researchers at risk searching firm Hunt.io recognized greater than 85 domains impersonating the three platforms on this marketing campaign, together with the next:

When checking a number of the domains, BleepingComputer found that in some circumstances the visitors to the websites was pushed through Google Advertisements, indicating that the risk actor promoted them to look in Google Search outcomes.

The malicious websites function convincing obtain portals for the pretend apps and instruct customers to repeat a curl command of their Terminal to put in them, the researchers say.

In different circumstances, like for TradingView, the malicious instructions are introduced as a “connection safety affirmation step.” Nevertheless, if the consumer clicks on the ‘copy’ button, a base64-encoded set up command is delivered to the clipboard as an alternative of the displayed Cloudflare verification ID.

The instructions fetch and decode an ‘set up.sh’ file, which downloads a payload binary, eradicating quarantine flags an bypass Gatekeeper prompts to permit its execution.

The payload is both AMOS or Odyssey, executed on the machine after checking if the atmosphere is a digital machine or an evaluation system.

The malware explicitly invokes sudo to run instructions as root, and its first motion is to gather detailed {hardware} and reminiscence data of the host.

Subsequent, it manipulates system companies like killing OneDrive updater daemons and interacts with macOS XPC companies to mix its malicious exercise with reliable processes.

Ultimately, the information-stealing elements of the malware are activated, harvesting delicate data saved on the browser, cryptocurrency credentials, and exfiltrating to the command and management (C2).

AMOS, first documented in April 2023, is a malware-as-a-service (MaaS) accessible underneath a $1,000/month subscription. It will probably steal a broad vary of information from contaminated hosts.

Just lately, its creators added a backdoor element to the malware to provide operators distant persistent entry capabilities.

Odyssey Stealer, documented by CYFIRMA researchers this summer season, is a comparatively new household derived from the Poseidon Stealer, which itself was forked from AMOS.

It targets credentials and cookies saved in Chrome, Firefox, and Safari browsers, over 100 cryptocurrency pockets extensions, Keychain knowledge, and private information, and sends them to the attackers in ZIP format.

It’s strongly beneficial that customers do not paste within the Terminal instructions discovered on-line in the event that they don’t totally perceive what they do.

46% of environments had passwords cracked, almost doubling from 25% final 12 months.

Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.

Get the Blue Report 2025