Google advertisements for pretend Homebrew, LogMeIn websites push infostealers

A brand new malicious marketing campaign is concentrating on macOS builders with pretend Homebrew, LogMeIn, and TradingView platforms that ship infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey.

The marketing campaign employs “ClickFix” methods the place targets are tricked into executing instructions in Terminal, infecting themselves with malware.

Homebrew is a well-liked open-source package deal administration system that makes it simpler to put in software program on macOS and Linux. Menace actors have used up to now the platform’s identify to distribute AMOS in malvertising campaigns.

LogMeIn is a distant entry service, and TradingView is a monetary charting and market evaluation platform, each broadly utilized by Apple customers.

Researchers at menace looking firm Hunt.io recognized greater than 85 domains impersonating the three platforms on this marketing campaign, together with the next:

When checking a few of the domains, BleepingComputer found that in some circumstances the visitors to the websites was pushed by way of Google Adverts, indicating that the menace actor promoted them to seem in Google Search outcomes.

The malicious websites characteristic convincing obtain portals for the pretend apps and instruct customers to repeat a curl command of their Terminal to put in them, the researchers say.

In different circumstances, like for TradingView, the malicious instructions are offered as a “connection safety affirmation step.” Nevertheless, if the consumer clicks on the ‘copy’ button, a base64-encoded set up command is delivered to the clipboard as an alternative of the displayed Cloudflare verification ID.

The instructions fetch and decode an ‘set up.sh’ file, which downloads a payload binary, eradicating quarantine flags an bypass Gatekeeper prompts to permit its execution.

The payload is both AMOS or Odyssey, executed on the machine after checking if the surroundings is a digital machine or an evaluation system.

The malware explicitly invokes sudo to run instructions as root, and its first motion is to gather detailed {hardware} and reminiscence data of the host.

Subsequent, it manipulates system companies like killing OneDrive updater daemons and interacts with macOS XPC companies to mix its malicious exercise with respectable processes.

Finally, the information-stealing elements of the malware are activated, harvesting delicate data saved on the browser, cryptocurrency credentials, and exfiltrating to the command and management (C2).

AMOS, first documented in April 2023, is a malware-as-a-service (MaaS) out there beneath a $1,000/month subscription. It could possibly steal a broad vary of knowledge from contaminated hosts.

Lately, its creators added a backdoor element to the malware to provide operators distant persistent entry capabilities.

Odyssey Stealer, documented by CYFIRMA researchers this summer season, is a comparatively new household derived from the Poseidon Stealer, which itself was forked from AMOS.

It targets credentials and cookies saved in Chrome, Firefox, and Safari browsers, over 100 cryptocurrency pockets extensions, Keychain information, and private information, and sends them to the attackers in ZIP format.

It’s strongly really useful that customers do not paste within the Terminal instructions discovered on-line in the event that they don’t absolutely perceive what they do.

46% of environments had passwords cracked, practically doubling from 25% final yr.

Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.

Get the Blue Report 2025