Bad actors are using a fake Homebrew site on a Google ads page to distribute infostealer malware that’s targeting macOS and Linux devices.
This new Google ads campaign was first discovered by security researcher Ryan Chenkie, who warned security pros about the infostealer on X on Jan. 18.
Another security researcher, JAMESWT, posted on X that the malware dropped in the new Google ads campaign is the Amos infostealer that targets data stored on web browsers, desktop wallets, and cryptocurrency extensions.
Here’s how the campaign works: A malicious Google ad displays the legitimate Homebrew URL, but the ad redirects them to a fake Homebrew page that’s hosted as “brewe.sh” — tricking even the most careful users with the extra “e” letter.
What’s interesting here is that more technical people tend to use Homebrew, a popular open-source platform that lets macOS and Linux users install, update, and manage software.
“Malware authors are targeting technical users, who are more likely to install tools like Homebrew, typically used by power users or developers,” said Jaron Bradley, director of Jamf Threat Labs. “These individuals are often in possession of high-value assets, such as cryptocurrency wallets or even sensitive work-related credentials.”
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, added that in this attack, the difference of “brew“ vs “brewe“ is hard for some users to spot as malicious.
Dunham said there are best practices teams can employ in such instances: always go to legitimate application and distribution sites, confirm app vendors and sources, and go to sites directly, instead of through a link received by an email or sent to you on a phone.
“Malvertising continues to be an effective eCrime marketplace strategy, where users are tricked into malicious sites and traffic instead of using legitimate sources with less risk,” said Dunham. “MacOS has arrived as a more popular OS with increased assets of value to threat actors in the professional environment globally, and it’s increasingly being targeted by bad actors in 2025 as evidenced in this most recent attack.”
Eric Schwake, director of cybersecurity strategy at Salt Security, said the recent malware campaign aimed at macOS systems underscores the persistent threat of cybercriminals who exploit widely used software and services. Using a counterfeit Homebrew website to spread malware, Schwake said these cyber attackers showcase their sophistication and innovative tactics, continually discovering new methods to mislead and infiltrate users.
“Although the malware itself is not novel, its delivery via Google ads emphasizes the critical need for safeguarding advertising platforms,” said Schwake. “Advertisers must remain alert and take measures to validate the legitimacy of the websites they endorse. This scenario highlights the need for organizations to bolster security on all devices, including macOS, which is often considered more secure than others.”
