ClickFix Abuses Legitimate Homebrew Workflow to Deploy Cuckoo Stealer on macOS for Credential Harvesting

A sophisticated social engineering campaign is targeting macOS developers through fake Homebrew installation pages that deploy Cuckoo Stealer, a comprehensive credential-harvesting malware.

The attack leverages the ClickFix technique, which tricks users into executing malicious Terminal commands disguised as legitimate software installation scripts.

Unlike traditional exploits that target software vulnerabilities, this campaign exploits user trust and familiar developer workflows.

The operation centers around typosquatted domains that perfectly replicate the official Homebrew website.

When developers visit these fraudulent pages, they encounter what appears to be a standard installation command with a convenient copy button.

The malicious command differs from the legitimate one by just a single domain change, replacing raw.githubusercontent.com with raw.homabrews.org, a modification subtle enough to escape quick inspection.

Once executed, the script harvests user credentials through a continuous password prompt loop using macOS Directory Services, ensuring attackers obtain valid credentials before deploying the second-stage payload.

Hunt.io analysts identified this campaign after discovering the typosquatted domain homabrews.org, which was registered on January 13, 2026.

Infrastructure analysis revealed six interconnected domains hosted on shared infrastructure at IP address 5.255.123.244, with the earliest certificates dating back to July 2025.

The domains employ various typosquatting techniques including character omission, double-letter substitution, and alternative top-level domains to maximize their deceptive effectiveness.

Technical Infection Workflow

The attack executes in two distinct stages. The first-stage script masquerades as a legitimate Homebrew installer while secretly validating user passwords through the dscl authonly command.

This validation loop displays “Sorry, try again” for incorrect passwords, perfectly mimicking standard sudo behavior to avoid arousing suspicion.

Once valid credentials are captured, the script downloads a binary named brew_agent, encoding the stolen password in Base64 format and passing it as an argument for immediate access to protected system resources.

Cuckoo Stealer establishes persistence through the macOS LaunchAgent system, disguising itself as com.homebrew.brewupdater.plist to blend with legitimate system processes.

The malware implements multiple anti-analysis techniques including locale-based filtering that prevents execution on systems configured for Commonwealth of Independent States countries, specifically blocking Armenian, Belarusian, Kazakh, Russian, and Ukrainian locales.

All sensitive strings are encrypted using XOR-based obfuscation with index-based key rotation to evade static analysis and signature detection.

The command-and-control infrastructure uses encrypted HTTPS communications with X25519 elliptic curve Diffie-Hellman key exchange for session encryption.

The malware functions as a comprehensive remote access trojan with capabilities including shell command execution, system reboot, self-destruct mechanisms, and controlled data exfiltration threads.

It targets browser credentials from all major macOS browsers, cryptocurrency wallet extensions including Coinbase Wallet and Phantom Wallet, macOS Keychain databases, Apple Notes, messaging applications like Discord and Telegram, and over 20 cryptocurrency wallet applications.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.