The free, open-source software package management system Homebrew is a popular tool for simplifying the process of installing software on macOS and Linux systems. It is entirely run by volunteers and often benefits from user contributions via GitHub. Recently, Homebrew was the target of a malvertising campaign manipulating Google ads to deliver malicious payloads. Malvertising campaigns like this targeting open-source projects have been on the rise lately, and it is vital for individual users and organizations alike to be aware of this growing threat.
Discovery of the Malvertising Campaign
On January 18th, 2025, Ryan Chenkie made a post on X (formerly Twitter) warning developers of a malvertising campaign targeting Homebrew. The attack exploited Google ads to deceive users with a link purporting to lead to the page to install Homebrew, but which actually led to a spoofed site that deployed malware on the target device. The ad, sponsored in searches for Homebrew, showed the correct Homebrew URL (“brew.sh”) but redirected users to a fake page (“brewe.sh”).
This tactic of tricking users with subtle differences in URLs is a longstanding favorite for attackers, seen especially in phishing attacks. Threat actors looking to impersonate legitimate sources will employ false URLs, email addresses, and usernames, often with only one letter changed, attempting to look as close to the legitimate domain as possible.
The Threat: AmosStealer Malware
The malware intended for the targets of this malvertising campaign is Atomic Stealer, or Amos. It is often distributed as Software-as-a-Service (SaaS), with a monthly subscription fee of $3,000, and focuses on impacting macOS systems. AmosStealer features capabilities, including credential theft, browser data exfiltration, and cryptocurrency wallet targeting, making it a versatile weapon for bad actors to use in launching attacks on individuals and organizations.
AmosStealer is not a new strain of malware, and it has been used in previous attacks. This includes a recent ClickFix campaign that used fake Google Meet alerts to deceive users and deploy the malware. This latest campaign is part of a pattern highlighting the versatility and effectiveness of cyberattacks using spoofed or impersonated elements to install malware on target devices.
Attack Mechanism
The fake Homebrew website mimics the installation of the legitimate software so that targets may complete the process without even realizing that an attack is occurring. It walks users through instructions for installing the software on the device, including pasting a command into their OS terminals. Executing this command downloads and installs the AmosStealer malware on the target device, compromising the system and leading to sensitive data loss, theft of digital assets, and a wide range of other potential consequences.
This method is indicative of the creative and advanced tactics that cybercriminals often use to launch their attacks. “The recent malware campaign aimed at macOS systems underscores the persistent threat of cybercriminals who exploit widely used software and services,” says Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “Using a counterfeit Homebrew website to spread malware, these cyber attackers showcase their sophistication and innovative tactics, continually discovering new methods to mislead and infiltrate users.”
Broader Implications
Malvertising campaigns are becoming increasingly sophisticated as threat actors attempt to outpace the evolution of cybersecurity technology and evade detection. Attacks targeting trusted brands and open-source projects are lucrative for these cybercriminals, and the use of SaaS like AmosStealer lowers the barrier for entry and enables attackers to launch larger and more advanced campaigns.
It can be challenging for users to distinguish malicious URLs that closely mimic legitimate domains, especially if they have let their guard down due to other factors in the attack. Apple and Linux users who assume that their systems and environments have a higher level of security may be less cautious with potentially malicious links. The false pages linked through legitimate ad services like Google can also lend an air of legitimacy that makes users feel secure.
Mitigation and Recommendations
Users can implement a variety of measures to mitigate the risk of falling victim to an attack like this malvertising campaign. It is important to always be aware of the possibility that any link may not lead where it claims to lead and verify the destination by hovering over links and double-checking URLs before inputting sensitive information or installing software. Users should also follow best practices like using ad blockers, navigating directly to official websites rather than relying on links, and verifying commands with trusted documentation or communities before executing them.
Beyond the individual user, ad platforms can also take steps to prevent this kind of attack. These companies have a responsibility to improve their processes for vetting advertisements before accepting them. With a trusted brand name like Google pushing the ad, many users may let their guard down and assume a baseline level of security that is not present, and it is important for ad platforms to do their due diligence in ensuring that malicious ads do not pass their vetting processes.
Conclusion
The Homebrew campaign launched to install AmosStealer on target devices is significant in how it highlights a number of threat trends that are important for users to be aware of. Taking advantage of legitimate ad services, targeting open-source projects, and leveraging SaaS in attacks are all tactics that cybercriminals are increasingly favoring, and understanding how these attacks work is the first step in protecting against them. As cyberattacks grow increasingly sophisticated and deceptive, it is crucial for users to exercise vigilance, especially with regard to links and downloads.
