Back

Malicious Ads Target Homebrew Users with MacSync Stealer Malware

Severity: High (Score: 69.5)

Sources: Cybernews, Isc.Sans.Edu, isc.sans.edu

Summary

Cybercriminals are exploiting Google Ads to promote a fake Homebrew page that installs the MacSync infostealer malware, as reported by security researchers at the SANS Internet Storm Center. This campaign was first identified on April 30, 2026, and the malicious ads lead users to a site that mimics the legitimate Homebrew installation process. Users who execute the provided terminal command unknowingly install malware that collects sensitive information and sends it to a command and control server. The fake site is hosted on Google Sites, making it difficult for users to identify as malicious. The malware is designed to extract data from various applications, including Telegram and crypto wallets. Ongoing malvertising campaigns have been reported, with over 200 malicious ads impersonating popular macOS software identified earlier in 2026. Security experts recommend using ad blockers and avoiding running unknown terminal commands. The situation remains active, with researchers continuously monitoring the evolving threat landscape. Key Points: • Malicious ads impersonating Homebrew lead to the installation of MacSync Stealer malware. • The fake Homebrew page is hosted on Google Sites, complicating detection efforts. • Users are advised to avoid running terminal commands from untrusted sources.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • malware-traffic-analysis.net (domain)
  • MacSync Stealer (malware)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Finder (tool)
  • Terminal (tool)
  • Google Sites (platform)
  • Homebrew (platform)
  • MacOS (platform)
  • 0d58616c750fc8530a7e90eee18398ddedd08cc0f4908c863ab650673b9819dd (sha256)
  • 86d0c50cab4f394c58976c44d6d7b67a7dfbbb813fbcf622236e183d94fd944f (sha256)
  • a4fcfecc5ac8fa57614b23928a0e9b7aa4f4a3b2b3a8c1772487b46277125571 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed